Links

Classifications

H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication

H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer

G06F21/81—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations

H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication

H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication

H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

H04M1/0262—Details of the structure or mounting of specific components for a battery compartment

Abstract

Translated from Chinese

公开了用于管理针对认证设备的认证数据的方法、系统和计算机程序。 Discloses a data management authentication method for authentication device, system and computer program.认证设备可以包括在例如移动设备电池中，使得移动设备可以对该电池进行认证。 The authentication device may comprise a battery in a mobile device, for example, so that the mobile device may authenticate the battery.在一些实施方式中，将已加密证书数据存储到认证设备中。 In some embodiments, the encrypted data to the authentication certificate stored in the device.访问已加密证书数据，并且通过对已加密证书数据进行解密来产生未加密证书数据。 Access credentials encrypted data, and generates the certificate data is unencrypted by decrypting the encrypted certificate data.将未加密证书数据存储到认证设备上。 The encrypted certificate data not stored on the authentication device.未加密证书数据使认证设备能够：例如响应于从移动设备接收到询问消息，提供有效回复消息。 Unencrypted certificate authentication device to enable the data: for example, in response to receiving a query message from the mobile device to provide an effective reply message.在一些实施方式中，回复消息包括：未加密证书数据，以及认证设备基于秘密值产生的响应值。 In some embodiments, the reply message comprising: a certificate unencrypted data, and the authentication device based on a secret value generated response value.

[0002] -些产品可以对产品附件进行认证，以确保该附件是由产品制造商认可的。 [0002] - these products can authenticate the accessory products, to ensure that the attachment is approved by the product manufacturer.例如， 一些智能手机可以在充电或其他时候之前安装电池时，对电池进行认证。 For example, some smart phones can install the battery before charging or at other times, the battery authentication.在这种情况下，智能手机制造商认可的可靠电池包括产生智能手机可以认证的数据的认证设备。 In this case, the smart phone manufacturer approved batteries, including reliable authentication device generates smartphone authentication data.一般由多个不同实体在电池制造过程期问制造并组装电池的认证设备和其他组件。 Q is generally manufactured by a number of different entities and the authentication device assembly and other components in the cell of the battery manufacturing process.

[0008] 各种附图中的相似的附图标记和命名指示相似的要素。 [0008] Similar to the various drawings, and like reference numerals indicate elements named.

具体实施方式 detailed description

[0009] 产品制造商将认证设备包括在其产品中，以降低伪造的可能性。 [0009] The authentication apparatus Manufacturer include in their products, to reduce the possibility of forgery.该认证设备包含可以用于确立产品的可靠性的认证数据(例如，秘密密钥值、证书数据等）。 The reliability of the authentication apparatus comprises authentication data (e.g., a secret key value, certificate data, etc.) may be used to establish the product.通常制造认证设备，然后将其集成到终端产品中。 The authentication device typically manufactured, and then integrate them into end products.例如，针对移动设备电池的认证设备一般由半导体制造商制造，然后由电路板制造商集成到电路板中，然后电池制造商将该电路板集成到移动设备电池中。 For example, general manufacturing apparatus for the authentication of the mobile device battery by a semiconductor manufacturer, and then integrated by the manufacturer of the circuit board to the circuit board, the battery and circuit board manufacturers to integrate the mobile device battery.这样，在产品完成或被运送到产品管理者之前，认证设备可能经过很多位置并由多个不同实体处理。 In this way, before the completion of delivery of the product or to the product manager, the authentication device may pass by a number of different entities deal with many locations.

[0010] 复杂的制造和供应链容易受到过产和运输方案的影响，其中，合法产品被盗窃并重新运送到非法(例如，伪造、地下等）市场。 [0010] complex manufacturing and supply chain vulnerable to the effects of over-production and transport program, in which legitimate goods being stolen and re-shipped to illegal (eg, forgery, underground, etc.) markets.例如，合法认证设备可能过产并被包括在伪造电池中，并且如果该过产认证设备是可操作的，则伪造电池能够通过智能手机的认证。 For example, the authentication device may legally produced and included in the counterfeiting through the cell, and if the yield had authentication apparatus is operable to authenticate the counterfeit battery by smartphone.作为另一示例，具有合法认证设备的合法电池可能过产，并通过地下渠道售卖。 As another example, the authentication device having a valid legal battery capacity may be excessive, and sold through underground channels.伪造设备会对产品制造商和消费者等产生问题。 Counterfeit devices can cause product manufacturers and consumers and other problems.例如，伪造设备可能具有安全性危险，使公司被起诉并替换正宗产品。 For example, the device may have falsified safety hazard, the company was indicted and replaced with authentic products.作为另一示例，伪造设备不会按消费者期望的方式执行。 As another example, the device will not work as counterfeit consumer desired manner.在一些场景中，过产难以避免，并且过产设备难以跟踪或检测。 In some scenarios, it is difficult to avoid over-production, and the device is too difficult to track the production or detection.

[0011] 复杂的制造和供应链也容易受到数据安全性关注的影响。 [0011] complex manufacturing and supply chain is also susceptible to data security concerns.例如，基于存储在认证设备上的认证数据(例如，证书数据、密钥数据等)对所述认证设备进行认证。 For example, based on the authentication data stored on the authentication device (e.g., certificate data, key data, etc.) to authenticate the authentication apparatus.恶意方可以在制造过程期问潜在地拦截认证数据，并将该认证数据包括在伪造产品中。 Malicious party can ask potentially intercept data in the manufacturing process of certification, and the authentication data included in forged products.例如，认证设备可以使用公共密钥密码学方案和针对公共密钥的证书。 For example, the authentication device can use the public key cryptography and certificate programs for the public key.例如，认证设备制造商可以在制造过程期间将私有密钥和公共密钥存储在认证设备上。 For example, the authentication device may be a private manufacturer during the manufacturing process on the authentication device and the public key stored in the key.即使认证设备制造商是可信任的，该认证设备稍后可能被不受信任的另一制造商包括在子系统中。 Even certified equipment manufacturer is trusted, the authentication device may later by another manufacturer untrusted included in the subsystem.因此，在一些情况下，产品管理者必须防止认证设备制造商制造有效认证设备。 Therefore, in some cases, product managers must prevent effective authentication device manufacturer authentication device manufacturing.

[0012] 在一些实施方式中，通过在所有或部分制造过程期间，以加密格式存储认证数据， 可以降低在制造过程期间合法认证设备被抽走的风险和有效认证数据被偷走的风险。 [0012] In some embodiments, during all or part by a manufacturing process, stored in encrypted form authentication data, can reduce the risk during the manufacturing process of the authentication device is pumped legal risks and valid authentication data being stolen.例如，可以以加密格式将认证数据传送给认证设备制造商，并且该认证设备制造商可以将该加密认证数据存储在认证设备上。 For example, the format may be encrypted authentication data to the authentication device manufacturer, and the authentication device manufacturer authentication device can be encrypted on the data stored in the authentication.稍后，另一实体可以在制造过程中对该认证数据进行解密。 Later, another entity can decrypt the authentication data in the manufacturing process.将该已加密认证数据存储在认证设备上还允许认证设备自身通过制造过程安全地传输该认证数据，并降低伪造者抽取合法设备的积极性。 The encrypted authentication data is stored on the authentication device further allows the authentication device itself securely transmit the authentication data by the manufacturing process, and reduce the equipment counterfeiters extracted legitimate enthusiasm.例如，因为该认证数据被加密，潜在的伪造者不能在没有密码秘密(例如，用于对已加密认证数据进行解密的秘密密钥）的情况下高效地使能被抽取的认证设备的操作。 For example, because the authentication data is encrypted, a potential counterfeiter can not be extracted efficiently make the operation of the authentication device in the absence of cryptographic secret (e.g., a secret key for decrypting the encrypted authentication data) case.对认证数据进行解密的该密码秘密仅可由产品制造商或在稍后制造过程中的另一信任实体访问，使得例如当认证设备离开认证设备制造商的设施时，该认证设备是不可操作的。 The secret password for authentication data decrypted only by the product manufacturer or other trusted entities access later in the manufacturing process, so that for example when the authentication device leaves certified manufacturer of equipment and facilities, the authentication device is inoperable.

[0013] 此外，一些类型的制造过程在具有不可靠或不足够的数据通信能力的位置执行。 [0013] In addition, some types of manufacturing processes performed at a position having insufficient or unreliable data communications capabilities.因此，直接向制造设施传送针对每个认证设备的认证数据可能是不能实行的或无效率的。 Therefore, direct transfer to manufacturing facilities may be impracticable or inefficient for each authentication data authentication devices.在一些实施方式中，在该认证设备自身上传输该认证数据有助于确保在终端产品制造现场而不是在半导体制造商可获得所需要的信息。 In some embodiments, the authentication device in the authentication data transmission itself helps ensure that the end product at a manufacturing site, rather than the information available semiconductor manufacturers require.例如，终端产品制造现场可以仅需要接收用于解密该认证数据的密码密钥，而不是接收认证数据(可以比密码密钥大很多)本身。 For example, end-product manufacturing site can receive a cryptographic key needed to decrypt the authentication data only, instead of receiving the authentication data (can be much larger than a cryptographic key) itself.

[0014] 作为具体示例，如果电池的认证设备直到电池制造过程的稍后阶段或在制造完成以后才可操作，则可以降低电池认证设备被重新运送到伪造市场的风险。 [0014] As a specific example, if the battery authentication device until a later stage of the manufacturing process of the battery before or after the manufacturing operation is completed, the authentication device can be reduced battery is re-transported to market a risk of forgery.因此，为了限制制造该认证设备的半导体制造商所需的信任，可以向该半导体制造商提供认证数据的已加密版本(例如，认证设备的公共密钥的证书）。 Accordingly, in order to limit the required manufacturing semiconductor manufacturer trust the authentication device, it may provide the encrypted version of the authentication data (e.g., a public key certificate of the authentication device) to the semiconductor manufacturer.在这种情况下，半导体制造商可以生产能工作的但缺乏移动设备认证所需信息资源的认证设备。 In this case, semiconductor manufacturers can produce but lack the required certification mobile device authentication device information resources can work.接收到认证设备的电池制造商可以稍后对存储在认证设备上的认证数据进行解密。 Cell received the authentication device manufacturer authentication data may be stored on the authentication device is decrypted later.

[0015] 图1是示例认证系统100的示意图。 [0015] FIG. 1 is a schematic diagram of an example authentication system 100.认证系统100包括主设备106和辅助设备102。 The authentication system 100 includes a master device 106 and the auxiliary devices 102.主设备106包括询问器模块108,并且辅助设备102包括认证模块104。 The master device 106 comprises a query module 108, and the auxiliary device 102 includes an authentication module 104.认证系统100可以包括附加的或不同的组件，可以如所示并关于图1所描述或以不同方式对其进行配置。 100 may include additional or different components, and may be as shown in the authentication system described with respect to one or FIG be configured in different ways.

[0016] 询问器模块108可以基于询问器模块108和认证模块104之间交换的消息，认可或拒绝认证模块104的认证。 [0016] The query module 108 may be based on messages exchanged between an interrogator module 108 and authentication module 104, the authentication is rejected or approved authentication module 104.例如，可以需要认证模块104来向询问器模块108证明其已知一些秘密信息。 For example, authentication module 104 may be required to prove that a number of secret information which is known to the interrogator module 108.在图1所示示例中，询问器模块108向认证模块104发送询问消息124，然后认证模块104向询问器模块108发送回复消息122。 In the example shown in FIG. 1, the query module 108 sends a query message 124 to the authentication module 104 and authentication module 104 sends a reply message 122 to the interrogator module 108.示例询问消息124包括质询值，并且示例回复消息122包括所提供响应值和证书数据。 Example interrogation message 124 includes challenge value, and exemplary reply message 122 including the certificate data and the response value provided.在一些实施方式中，消息包括附加或不同类型的信息。 In some embodiments, the message includes additional or different types of information.如果认证模块104发送正确响应值和有效证书，则询问器模块108可以认可包括认证模块104的辅助设备102。 If the authentication module 104 sends the correct response value and a valid certificate, the query recognition module 108 may include an auxiliary device 102 of the authentication module 104.

[0017] -般来说，主设备106和辅助设备102可以是任意类型的系统、模块、设备、组件及其组合。 [0017] - In general, the main device 106 and accessory 102 may be any type of system, modules, devices, components, and combinations thereof.在一些示例中，主设备106可以是移动设备。 In some examples, the master device 106 may be a mobile device.移动设备的示例包括各种类型的蜂窝设备、智能电话、便携式媒体播放器、个人数字助理(PDA)、膝上型计算机、笔记本计算机、平板计算机等。 Examples of mobile devices include various types of cellular device, a smart phone, portable media player, a personal digital assistant (PDA), a laptop computer, a notebook computer, a tablet computer.图2示出了主设备和辅助设备的具体示例。 FIG 2 shows a specific example of a main device and the auxiliary equipment.在图2所示示例中，主设备是移动设备200,并且辅助设备是电池230。 In the example shown in FIG. 2, the master device is a mobile device 200, 230 and the auxiliary device is a battery.在主设备106是移动设备的其他示例中，辅助设备102可以是要与移动设备进行配对的不同类型的附件。 In other examples of the main device 106 is a mobile device, the auxiliary device 102 may be different types of attachments to be paired with the mobile device.例如，辅助设备102可以是手机、充电器、键盘、指示设备、替代部件或针对移动设备的其他类型的附件。 For example, the auxiliary device 102 may be a mobile phone, a charger, a keyboard, a pointing device, or other types of alternative attachment components for mobile devices.

[0018] 主设备106和辅助设备102可以备选地是其他类型的系统的组件。 [0018] The master device 106 and accessory 102 may alternatively be a component of other types of systems.其他类型的主设备的示例包括消费者电子、计算设备、消费者电器、传输系统、制造系统、安全系统、制药产品、医学设备等。 Examples of other types of master devices including consumer electronics, computing equipment, consumer electronics, transmission systems, manufacturing systems, security systems, pharmaceutical products, medical equipment and so on.在一些实施方式中，主设备106是打印机并且辅助设备102是针对该打印机的墨盒。 In some embodiments, the primary and the secondary device 106 is a printer device 102 is a cartridge for the printer.在一些实施方式中，主设备106是标识读取器并且辅助设备102是标识读取器读取的标识。 In some embodiments, the device 106 is the master and the secondary identification reader device 102 is read by the reader identifications.

[0019] 主设备106和辅助设备102可以通过通信链路进行通信。 [0019] The master device 106 and accessory 102 may communicate via a communication link.在适合时，可以使用各种类型的通信链路。 Where appropriate, may be used various types of communication links.例如，主设备106和辅助设备102可以通过有线通信链路(例如，USB链路、 并口链路、电压终端或另一类型的有线触点)进行通信。 For example, the master device 106 and accessory 102 may communicate via a wired communication link (e.g., USB link, a parallel port link, or another type of terminal voltage cable contacts).作为另一示例，主设备106和辅助设备102可以通过无线通信链路(例如，射频链路、红外链路或另一类型的无线介质）进行通信。 As another example, the master device 106 and accessory 102 may communicate via a wireless communication link (e.g., radio frequency link, an infrared link, or another type of wireless medium).主设备106和辅助设备102可以通过有线链路和无线链路的组合进行通信。 The master device 106 and accessory 102 may communicate via a combination of wired and wireless links.主设备106和辅助设备102之间的通信链路可以包括询问器模块108的通信接口117、认证模块104的通信接口116或这些通信接口或其他通信接口的任意组合。 A communication link between the master device 106 and accessory 102 may include a query module 108, a communication interface 117, 116 or any combination of these or other communication interface communications interface module 104 of the authentication communication interface.

[0020] 询问器模块108可以由硬件、软件、固件或其组合来实现。 [0020] The query module 108 may be implemented by hardware, software, firmware, or a combination thereof.例如，在一些情况下，所有或部分询问器模块108可以实现为微处理器执行的软件程序。 For example, in some cases, all or part of the query module 108 may be implemented as a software program executed by the microprocessor.作为另一示例，在一些情况下，所有或部分询问器模块108可以实现为数字电路或模拟电路。 As another example, in some cases, all or part of the query module 108 may be implemented as a digital circuit or an analog circuit.在一些示例中，询问器模块108可以与主设备106的其他软件或硬件资源集成和/或使用主设备106的其他软件或硬件资源，或者询问器模块108可以是独立模块。 In some examples, the interrogation module 108 may be integrated with other software or hardware resources of the host device 106 and / or other software or hardware resources of the host device 106, or the query module 108 may be separate modules.询问器模块108包括发送询问消息124并接收回复消息122的通信接口117。 The interrogator sends a query message 108 includes a module 124 receiving a reply message 122 and communication interface 117.通信接口117可以包括有线接口、无线接口或其组合。 Communication interface 117 may include a wired interface, a wireless interface, or a combination thereof.

[0021] 询问器模块108可以包括存储质询-响应数据的存储器或其他类型的介质。 [0021] The query module 108 may include a storage challenge - response, or other types of data storage media.例如， 询问器模块108可以包括选择质询值的质询选择器，并且询问器模块108可以包括推导针对所选质询值的响应值的密码函数评估器。 For example, query module 108 may include a selector selecting challenge challenge value, and may include a query module 108 to derive a cryptographic response function evaluation value for the selected question value.因此，询问器模块108可以包括:与一个或更多个先前推导的质询-响应对有关的数据、允许询问器模块108推导质询-响应对的指令或与质询-响应数据有关的其他信息。 Thus, query module 108 may include: one or more previously derived challenge - response to the related data, query module 108 allows the derivation of a challenge - response to commands or inquiries - additional information about the response data.在一些示例中，随机数产生器用于选择质询值，并且基于密钥的加密或签名方案（例如，RSA、ECC)用于推导响应值。 In some examples, the random number generator for selecting a challenge value, and key-based encryption or signature scheme (e.g., RSA, ECC) for deriving response.询问器模块108可以使用密码函数推导针对质询值的响应值。 Query module 108 may use a cryptographic function to derive values ​​for the challenge response value.例如，询问器模块108可以基于认证模块104的公共密钥产生针对每个质询值的响应值。 For example, query response module 108 may generate a value for each challenge value based on the public key of the authentication module 104.当询问器模块108询问认证模块104时，询问器模块108获得质询值并在询问消息124中向认证模块104提供质询值。 When authentication module 108 asks query module 104, query module 108 and a value obtained challenge interrogation message 124 is provided to the authentication module 104 challenge value.

[0022]认证模块104可以由硬件、软件、固件或其组合来实现。 [0022] Authentication module 104 may be implemented by hardware, software, firmware, or a combination thereof.例如，在一些情况下，所有或部分认证模块104可以实现为微处理器执行的软件程序。 For example, in some cases, all or part of the authentication module 104 may be implemented as a software program executed by the microprocessor.作为另一示例，在一些情况下， 所有或部分认证模块104可以实现为数字电路或模拟电路。 As another example, in some cases, all or part of the authentication module 104 may be implemented as a digital circuit or an analog circuit.在一些示例中，认证模块104可以与辅助设备102的其他软件或硬件资源集成和/或使用辅助设备102的其他软件或硬件资源，或者认证模块104可以是独立模块。 In some examples, the authentication module 104 may be integrated with other software or hardware resources of the auxiliary devices 102 and / or other software or hardware resources using the auxiliary device 102, the authentication module 104 or may be separate modules.认证模块104包括发送回复消息122并接收询问消息124的通信接口116。 The authentication module 104 sends a reply message 122 comprises a query message 124 and receive a communication interface 116.通信接口116可以包括有线接口、无线接口或其组合。 The communication interface 116 may include a wired interface, a wireless interface, or a combination thereof.

[0023]认证模块104包括响应-产生器模块112和认证数据。 [0023] Authentication module 104 comprises a response - generating module 112 and authentication data.在图1所示示例中，认证数据包括密钥数据113和证书数据114。 In the example shown in FIG. 1, the authentication data comprises key certificate data 114 and data 113.认证模块可以包括附加的或不同类型的特征，包括附加的或不同类型的认证数据。 The authentication module may include additional or different types of features, including additional or different types of authentication data.密钥数据113包括秘密值，响应-产生器模块112使用该秘密值， 基于从询问器模块108接收的质询值，产生所提供响应值。 Key data 113 includes a secret value, in response - generator module 112 using the secret value, to provide the response value from the challenge value based on the query module 108 receives generates.秘密值可以是密码密钥对的秘密密钥值。 Secret value may be a secret key cryptographic key value pairs.密码密钥对可以是对称或非对称密钥对。 Key pair cryptographic keys may be symmetric or asymmetric.例如，密码密钥对可以是基于ECC、RSA、 AES、DES或另一类型的加密方案的密钥对。 For example, the cryptographic key pair may be a key encryption scheme based on the ECC, RSA, AES, DES, or another type.在一些示例中，密钥数据113包括密码密钥对的密钥中的一个或两者。 In some examples, the data key 113 comprises a key encryption key or both of the pair.例如，密钥数据113可以包括:私有密钥、公共密钥或非对称密钥加密方案的公共密钥和私有密钥。 For example, the key data 113 may include: a public key and a private key is a private key, public key or asymmetric key encryption scheme.密钥数据113可以包括附加或不同类型的信息。 Key data 113 may include additional or different types of information.

[0024]响应-产生器模块112可以基于从询问器模块108所接收的质询值和密钥值113中包括的秘密值，来产生响应值。 [0024] response - based generator module 112 may include a secret value from the challenge value and the key value 113 query module 108 received, to generate a response.例如，响应-产生器模块112可以从询问器模块108接收质询值，并产生所提供响应值。 For example, in response - generator module 112 may receive a value from the challenge query module 108, and generates a response value provided.该所提供响应值可以在响应-产生器模块112通过评估密码函数来产生。 The response values ​​may be provided in the response - generation module 112 to generate a cryptographic function by evaluating.在一些实施方式中，针对密码函数的输入数据可以包括私有密钥值和质询值。 In some embodiments, the input data for a cryptographic function may include a private key value and the challenge value.在一些示例中，响应-产生器模块112可以通过将加密或数字签名函数应用到询问器模块108所提供的质询值，来产生所提供响应值。 In some examples, the response - the generation module 112 may provide a response value by applying the encryption or a digital signature function to the challenge value query module 108 provided to produce.例如，响应-产生器模块112可以使用私有密钥值来将数字签名应用到质询值。 For example, in response - generator module 112 using the private key value may be the digital signature to the challenge value.

[0025]在图1所示示例中，证书数据114包括验证(certify)公共密钥值的数字证书。 [0025] In the example shown in FIG 1, the certificate verification data 114 comprises (Certify) value of a public key digital certificate.在一些实施方式中，由数字证书验证的公共密钥值对应于响应-产生器模块112为产生所提供响应值所使用的私有密钥值。 In some embodiments, the verification of the digital certificate by the public key value corresponding to the response - generating module 112 to generate the private key value in response to the provided values ​​used.证书数据114可以包括以下各项的显式或隐式表示：公共密钥值、针对认证模块的标识值、证书权威机构的数字签名、关于该数字证书是何时产生的信息、关于该数字证书何时超期的信息、关于认证权威机构的身份的信息或这些和其他数据要素的任意组合。 Certificate data 114 may include the following explicit or implicit representation: public key value, the value for the identification authentication module, a certificate authority digital signature on the digital certificate is generated when the information regarding the digital certificate when the extended information, or any combination of information about the identity of the certification authority of these and other data elements.可以在回复消息122中一个或更多个中将所提供响应值和证书数据114发送给询问器模块108。 In the reply message may be a 122 or more will be provided in response to a value of 114, and certificate data query module 108.

[0026]在一些实施方式中，数字证书包括以下特征中的一个或更多个。 [0026] In some embodiments, the digital certificate comprising one or more of the following features.数字证书可由认证权威机构发布，认证权威机构是为使用基于密钥的密码方案的实体验证公共密钥的信任方。 Digital certificates issued by a certification authority, the certification authority for relying parties to verify the use of public key cryptographic schemes based on the entity's key.例如，每个认证设备可以具有唯一的标识号和特定的公共密钥值，并且数字证书可以用作来自信任源的以下核实:特定公共密钥值属于具有特定标识号的认证设备。 For example, each authentication device may have a unique identification number and the particular value of the public key, and verify the digital certificate may be used from a trusted source: values ​​belonging to a particular public key authentication apparatus having a particular identification number.因此，数字证书可以将每个认证设备的标识值绑定到特定公共密钥值。 Thus, the digital identification value for each certificate may be bound to a specific device authentication public key value.另一用户实体(例如，询问器模块108)可以使用证书权威机构的公共密钥来核实该数字证书是由信任证书权威机构签发的。 Another user entity (e.g., query module 108) can use the public key certificate authority to verify the digital certificate was issued by a trusted certification authority.以此方式，数字证书用作信任第三方的确认:认证模块104示出的公共密钥值属于合法认证模块104而不是冒充者。 In this manner confirmation, the digital certificate of the trusted third party as: an authentication module 104 public key value shown legitimate authentication module 104 rather than an imposter.

[0027] 证书数据114可以包括任意类型的数字证书数据，包括隐式证书或显式证书。 [0027] certificate data 114 may include any type of digital certificate data, including explicit or implicit certificate certificate.在一些情况下，显式证书包括验证用于认证模块104的公共密钥值上的证书权威机构的签名。 In some cases, the explicit certificate includes a certificate authority verifies the signature on the public key value for an authentication module 104.显式证书还可以包括公共密钥值、认证模块104的标识符和其他信息。 Explicit certificate may further include an identifier value of a public key and other information, the authentication module 104.隐式证书包括可用于构建认证模块的公共密钥的信息。 Implicit certificate comprising a public key information may be used to construct the authentication module.因此，一些隐式证书既不包括公共密钥值的显式表示，也不包括证书权威机构的数字签名的显式表示。 Therefore, some implicit certificate includes neither explicit representation of the public key value, it does not include an explicit representation of digital certificate authority signature.例如，隐式证书可以包括公共密钥重构值，该公共密钥重构值可以与其他可获得信息（例如，证书权威机构的公共密钥等)结合，用于重构公共密钥值。 For example, implicit certificate may include a public key reconstruction value, the public key reconstruction value may be combined with other available information (e.g., a public key certificate authority, etc.), for reconstructing the public key value.隐式证书方案的示例是ECQV隐式证书方案。 Example implicit certificate scheme is ECQV implicit certificate scheme.

[0028]在操作的一些方面中，询问器模块108产生询问消息124,并将该询问消息124发送到认证模块104。 [0028] In some aspects of the operation, the query module 108 generates a query message 124, 124 and the query message to the authentication module 104.询问消息124包括质询值。 Query message 124 comprises a challenge value.认证模块104接收询问消息124，并产生回复消息122。 The authentication module 104 receives the query message 124, 122 and generates the reply message.回复消息122包括证书数据114和所提供响应值。 The reply message comprises a certificate data 114 and 122 in response to the supplied value.可以在单个消息或多个不同消息中发送该证书数据114和所提供响应值。 The certificate data may be sent in a single message or in a plurality of different messages and 114 provided in response.响应-产生器模块112通过评估密码函数来产生所提供响应值。 Response - generator module 112 provides the response by evaluating value generating cryptographic function.在一些实施方式中，响应-产生器模块112使用密钥数据113中的秘密值来将密码函数应用到询问器模块108所接收的质询值中。 In some embodiments, the response - generator module 112 using the secret key data values ​​113 to apply the value of the cryptographic function to the challenge query module 108 received.例如，响应-产生器模块112可以使用私有密钥值来将数字签名应用到质询值中。 For example, in response - generator module 112 using the private key value may be a digital signature to the challenge value.

[0029] 在操作的一些方面中，询问器模块108接收到回复消息122。 [0029] In some aspects of the operation, the query module 108 receives the reply message 122.响应于接收到回复消息122，询问器模块108验证证书数据114。 In response to receiving the reply message 122, query module 108 verifies the certificate data 114.验证证书数据114指示认证模块104示出的公共密钥是证书权威机构已经验证的信任公共密钥。 114 verifies the certificate data indicating that the authentication module 104 is shown in the public key certificate authority trusted public key has been validated.例如，询问器模块108可以使用证书权威机构的公共密钥来核实证书数据114。 For example, query module 108 may use the public key of the certificate authority to verify the certificate data 114.询问器模块108可以通过从证书权威机构获取证书权威机构的公共密钥、通过从对询问器模块108可用的本地存储器中访问证书权威机构的公共密钥或以其他方式，来获得证书权威机构的公共密钥。 Query module 108 may obtain a certificate authority public key from the certificate authority, certificate authority by accessing from the inquiry module 108 of local memory available public key or otherwise, to obtain a certificate authority public key.如果核实了证书数据114,询问器模块108还将所提供响应值与正确的响应值进行比较。 If verification of the certificate data 114, query response module 108 is also the value of the response value to provide the correct comparison.确定所提供响应值与正确的响应值匹配指示:认证模块104具有与信任公共密钥相对应的私有密钥。 Determining the response value provided with the correct response value match indication: an authentication module 104 has the private key corresponding to the trusted public key.如果询问器模块108确定认证模块已经提供了有效回复，则可以认证辅助设备。 If the query module 108 determines the authentication module has provided a valid reply, the auxiliary equipment may authenticate.在一些实施方式中，有效回复包括证书数据114和基于密钥数据113产生的有效响应值。 In some embodiments, the effective reply 114 including a valid response based on the value of the certificate data and the key data 113 generated.在这些情况下，需要证书数据114和密钥数据113来产生对询问消息124的有效响应。 In these cases, the certificate data 114 and key data 113 to produce an effective response to the query message 124.

[0030] 图2是示例移动设备200的示意图。 [0030] FIG. 2 is a schematic illustration of a mobile device 200.例如，移动设备200可以是BLACKBERRY® 移动设备和/或另一类型的移动设备。 For example, mobile device 200 may be a BLACKBERRY® mobile device and / or another type of mobile device.在一些实施方式中，移动设备200是双模移动设备。 In some embodiments, the mobile device 200 is a dual-mode mobile devices.图2中的示例移动设备200包括微处理器202、通信子系统204、随机存取存储器(RAM)206、非易失性存储器208、显示器210、一个或更多个辅助输入/输出（I/O)设备212、数据端口214、键盘216、扬声器218、麦克风220、短距离无线通信子系统222、其他设备子系统224、SM/RUIM 卡（即，订户身份模块或可移除用户身份模块)226、S頂/RIHM接口228、可充电池230、电池接口232以及可能的其他组件。 FIG example mobile device 200 includes a microprocessor 202, a communication subsystem 204, a random access memory (RAM) 206, nonvolatile memory 208, a display 210, one or more auxiliary input / output (I / O) device 212, a data port 214, a keyboard 216, a speaker 218, a microphone 220, a short-range wireless communications subsystem 222, other device subsystems 224, SM / RUIM card (i.e. subscriber identity module or a removable user identity module) 226, S top / RIHM interface 228, rechargeable battery 230, the battery interface 232, and possibly other components.移动设备200可以包括相同的、附加的和/或不同的特征，可以以所示方式或以不同方式对其进行布置和/或操作。 The mobile device 200 may include the same, additional and / or different features, can be arranged in different ways and / or operations or in the manner shown.

[0031]示例移动设备200是电池供电设备，包括从一个或更多个可充电池230接收直流电的电池接口232。 [0031] The example mobile device 200 is a battery-powered device, including receiving a direct current from one or more rechargeable batteries 230 of the battery interface 232.电池230可以是具有嵌入式微处理器的智能电池或不同类型的电池。 Battery 230 may be a smart battery or batteries having different types of embedded microprocessor.电池接口232可以与调节器(未示出）耦合，调节器可以帮助电池230向移动没备200供电V+。 Battery interface 232 may be a regulator (not shown) coupled to the regulator 230 can not help prepare the battery power V + to the mobile 200.附加地或备选地，移动设备200可以从外部电源(例如，交流电源、适配器、转换器等）和/或不同类型的内部电源接收电能。 Additionally or alternatively, mobile device 200 may receive power from an external power source (e.g., AC power adapter, converters, etc.) and / or different types of internal power source.

[0032] 图2中所示的示例移动设备200是具有语音和数据通信能力的双向通信设备。 [0032] FIG example mobile device 2200 are shown in a two-way communication device having voice and data communication capabilities.移动设备200可以通过无线网络(包括，无线通信网络、无线数据网络、语音和数据组合网络和/ 或其他类型的无线网络)进行通信。 The mobile device 200 via a wireless network (including a wireless communication network, a wireless data network, a combination of voice and data networks and / or other types of wireless networks) to communicate.因此，移动设备200可以通过语音网络(例如，模拟蜂窝网络或数字蜂窝网络中任意一个)进行通信，并可以通过数据网络进行通信。 Thus, mobile device 200 may communicate over a voice network (e.g., analog or digital cellular networks to any of a cellular network), and may communicate over a data network.语音和数据网络可以实现为使用分离设施(例如，基站、网络控制器等)的分离通信网络，或者语音和数据网络可以集成到单个无线网络中。 Voice and data networks may be implemented using a separation plant (e.g., base stations, network controllers, etc.) separating the communication network, or voice and data networks may be integrated into a single wireless network.网络可以包括一个或更多个本地的、区域的、全国的或全球的网络。 Network may include one or more local, regional, national or global network.网络可以包括一个或更多个蜂窝网络。 The network may include one or more cellular networks.在一些实施方式中，无线网络使用一个或更多个通信协议标准(例如，3G、4G、GSM、CDMA、GPRS、EDGE、LTE等）。 In some embodiments, the wireless network using one or more standard communication protocol (e.g., 3G, 4G, GSM, CDMA, GPRS, EDGE, LTE, etc.).

[0033] 在图2所示的示例移动设备200中，通信子系统204包括接收机250、发射机252、天线254和256、一个或更多个本地振荡器258、数字信号处理器(DSP)260以及可能的其他特征。 [0033] In the example shown in Figure 2 the mobile device 200, communication subsystem 204 includes a receiver 250, a transmitter 252, antennas 254 and 256, one or more local oscillators 258, a digital signal processor (DSP) 260 and possibly other features.天线254和256可以包括多元件天线、嵌入式天线、射频(RF)天线和/或其他类型天线的天线元件。 Antenna 254 and antenna 256 may comprise multiple elements, embedded antenna, a radio frequency (RF) antenna, and / or other types of antenna elements of the antenna.通信子系统204用于与网络进行通信。 Communications subsystem 204 for communicating with the network.DSP260用于分别通过接收机250和发射机252接收和发送信号，并且DSP260向接收机250和发射机252提供控制信息。 DSP260 and DSP260 for respectively providing control information receiver 250 and a transmitter 252 receives and transmits signals to the receiver 250 and transmitter 252.例如，可以通过在DSP260中实现的自动增益控制算法自适应地控制在接收机250和发射机252中对通信信号应用的增益电平。 For example, the algorithm adaptively controlled gain level applied to communication signals in receiver 250 and transmitter 252 may be implemented by an automatic gain control in the DSP260.可以在DSP260中实现附加和/或不同类型的控制算法，以对通信子系统204提供更复杂的控制。 May implement additional and / or different types of control algorithms in DSP260, to provide more sophisticated control of the communications subsystem 204.

[0034]在一些实施方式中，本地振荡器258是向接收机250和发射机252提供参考信号的单个本地振荡器，例如，其中，语音和数据通信发生在单个频率或紧密间隔的频率集合中。 [0034] In some embodiments, the local oscillator 258 to provide a reference signal to a receiver 250 and transmitter 252 single local oscillator, for example, where voice and data communications occur at a single frequency or set of frequencies in closely spaced .备选地，例如，如果将不同频率用于语音通信和数据通信，本地振荡器258可以包括用于产生与语音和数据网络相对应的多个不同频率的多个本地振荡器。 Alternatively, for example, if different frequencies for voice communication and data communication, local oscillator 258 may include a plurality of local oscillators for generating a plurality of voice and data networks corresponding to different frequencies.可以通过DSP260和微处理器202之问的链路或总线向通信子系统204传送并从通信子系统204传送移动设备200中的信息（包括数字语音和数字数据信息）。 And can be transmitted by the microprocessor and ask DSP260 link or bus 202 of the communication subsystem 204 from communication subsystem 204 transmits mobile device information 200 (including digital voice and digital data information).通信子系统204的设计和配置(例如，频带、组件选择、功率电平等）可以取决于移动设备200意在操作的通信网络。 Communication subsystem 204 design and configuration (e.g., frequency band, component selection, power level, etc.) may depend on the mobile device 200 intended to operate in a communication network.例如，通信子系统204可以被配置用于2G、2.5G、3G、4G和其他语音和数据网络（例如，GSM、CDMA2000、GPRS、EDGE、W-CDMA(UMTS)、FOMA、EV-D0、TD-SCDMA、HSPA、HS0PA等）。 For example, the communication subsystem 204 may be configured to 2G, 2.5G, 3G, 4G, and other voice and data networks (e.g., GSM, CDMA2000, GPRS, EDGE, W-CDMA (UMTS), FOMA, EV-D0, TD -SCDMA, HSPA, HS0PA, etc.).

[0035] 在任意所需要的网络注册或激活过程已经完成之后，移动设备200可以通过无线网络发送和接收通信信号(包括语音信号和数据信号）。 [0035] After any required network registration or activation procedures have been completed, the mobile device over the wireless network 200 may send and receive communication signals (including voice and data signals).通过天线254从通信网络接收的信号被路由到接收机250,接收机250提供信号放大、下变频转换、滤波和信道选择等，并且还可以提供模数信号转换。 Is routed through the communication network signal received from antenna 254 to receiver 250, receiver 250 provides for signal amplification, frequency down conversion, filtering, channel selection, etc., and may also provide analog to digital signal conversion.所接收的信号的模数转换允许DSP260对得到的数字信号进行解码。 Analog to digital conversion of the received signal allows DSP260 obtained digital signal is decoded.将向网络发送的信号由DSP260进行处理（例如，调制和编码等），并然后提供给发射机252用于数模转换、上变频转换、滤波、放大以及经由天线256向通信网络发送。 Signal will be transmitted by the network DSP260 processing (e.g., modulation and coding), and then provided to the transmitter 252 for digital to analog conversion, frequency up conversion, filtering, amplification and transmission to the communication network 256 via the antenna.

[0036] 在一些实施方式中，在已经完成网络注册和激活过程之后，通信设备200可以通过无线网络发送和接收通信信号。 [0036] In some embodiments, after having completed the network registration or activation procedures, the communication device 200 may send and receive communication signals over the wireless network.基于移动设备200操作的一个或多个网络的类型，针对移动设备200的无线网络注册或激活过程可以变化。 Based on a type of a mobile device 200 operates one or more network registration or activation process can vary for the wireless network of the mobile device 200.针对图2中所示的示例移动设备200的无线网络接入与移动设备200的订户或用户相关联。 Associated with a subscriber or user for the example shown in FIG. 2 and the mobile radio network access device 200 of the mobile device 200.具体来说，Sm/RIHM接口228中的SM/RUIM 卡226标识移动设备200的订户或用户。 Specifically, the subscriber or user Sm / RIHM interface 228 in the SM / RUIM card 226 identifies the mobile device 200.利用SM/RIHM接口228中的Sm/RUIM卡226,订户可以通过无线网络访问所有已预订的服务。 Use SM / RIHM interfaces 228 Sm / RUIM card 226, a subscriber can access all subscribed services over wireless networks.例如，已预订的服务可以包括web浏览、电子邮件、 语音邮件、短消息服务(SMS)、多媒体消息传送服务(丽S)和/或其他服务。 For example, it has been booked services can include web browsing, e-mail, voice mail, short message service (SMS), multimedia messaging service (Korea S) and / or other services.S頂/RIHM接口228 中的SIM/RUIM卡226与移动设备200的微处理器202进行通信。 Top S / RIHM interface 228 of SIM / RUIM card 226 to communicate with the microprocessor 202 of the mobile device 200.为了标识订户，SIM/RIHM卡226可以包括用户参数（例如，国际移动订户身份（IMSI)和/或另一类型的订户标识符）。 In order to identify the subscriber, SIM / RIHM card 226 may include user parameters (e.g., International Mobile Subscriber Identity (IMSI) and / or another type of subscriber identifier).SM/RIHM卡226可以存储附加的和/或不同的订户信息（包括，日程信息、乎叫日志信息、联系人信息和/或其他类型的信息）。 SM / RIHM card 226 may store additional and / or different subscriber information (including, schedule information, logs almost call information, contact information, and / or other types of information).附加地或备选地，用户标识信息还可以存储在非易失性存储器208中。 Additionally or alternatively, user identification information can also be stored in the nonvolatile memory 208.

[0037] 数据端日214可以包括串口、并口和/或另一类型的连接端口。 [0037] Data terminal 214 may include a date serial, parallel and / or another type of connection port.在一些实施方式中， 数据端口214是通用串行总线(USB)端口，该USB端口包括用于数据传送的数据线以及可以提供充电电流用于对移动设备200的电池230进行充电的电源线。 In some embodiments, the data port 214 is a universal serial bus (USB) port, a USB port that includes data lines for data transfer and can provide a charging current to the battery power supply line 200 of the mobile device 230 is charged.可以例如通过数据端口214(例如，在接口托架中和/或另一类型的有线连接中）连接移动设备200来手动地使移动设备200与主机系统进行同步，数据端口214将移动设备200与计算机系统或其他设备的数据端口耦合。 For example, port 214 may (e.g., in an interface cradle, and / or another type of wired connection) via a data connection 200 to the mobile device enable the mobile device 200 is manually performed synchronized with a host system, the data port 214 and mobile device 200 a data port coupled to a computer system or other devices.数据端口214还可以用于使用户能够通过外部设备或软件应用来设置偏好，或能够下载其他程序用于安装。 Data port 214 can also be used to enable a user to set preferences through an external device or software application, or other programs can be downloaded to install.数据端口214的有线连接可以用于将加密密钥加载到设备上， 与经由无线网络交换加密信息相比，这是更加安全的方法。 Wired connection data port 214 may be used to load an encryption key onto the device, as compared to exchanging encryption information via the wireless network, which is a more secure method.

[0038]短距离通信子系统222提供移动设备200和不同系统或设备之间的通信，而不需要使用无线网络。 [0038] Short-range communications subsystem 222 provides for communication between mobile device 200 and different systems or devices, without the use of the wireless network.例如，短距离通信子系统222可以包括用于短距离通信的红外或射频设备以及相关联电路和组件。 For example, short-range communications subsystem 222 may include an infrared or radio frequency device and associated circuits and components for short-range communication.短距离通信标准的示例包括由红外数据协会（IrDA)开发的标准、蓝牙⑯、由IEEE开发的802.11标准簇以及其他标准。 Examples of short-range communication standards include standards by the Infrared Data Association (IrDA) standard developed ⑯ Bluetooth, a standard developed by the IEEE 802.11 standard, and other clusters.

[0039]微处理器202管理和控制无线设备200的整体操作。 [0039] The microprocessor 202 manages and controls the overall operation of the wireless device 200.可以使用许多类型的微处理器和微控制器。 You can use many types of microprocessors and microcontrollers.附加地或备选地，单个DSP260可以用于执行微处理器202的一个或更多个功能。 Additionally or alternatively, it may be a single DSP260 for performing one or more functions of microprocessor 202.可以通过通信子系统204中的DSP260执行低等级通信功能(包括数据和语音通信）。 It can perform low-level communication functions (including data and voice communications) by the communication subsystem 204 DSP260.高等级的通信应用(例如，语音通信应用、数据通信应用和/或其他类型的软件应用)可以存储在非易失性存储器208中，用于供微处理器202执行。 A high level communication applications (e.g., voice communication applications, data communication applications and / or other types of software applications) may be stored in the nonvolatile memory 208, a microprocessor 202 for execution.微处理器202还与其他设备子系统(例如， 显示器210、RAM206、辅助输入/输出（I/O)设备212、数据端口214、键盘216、扬声器218、麦克风220、SM/RIHM接口228、电池接口232、短距离通信子系统222以及一般表示为224的任意其他设备子系统)进行交互。 The microprocessor 202 also with other device subsystems (e.g., display 210, the RAM 206, auxiliary input / output (I / O) device 212, a data port 214, a keyboard 216, a speaker 218, a microphone 220, SM / RIHM interface 228, the battery interface 232, a short-range communications subsystem 222 and is generally expressed as interaction of any other device subsystems 224).

[0040]非易失性存储器208包括可擦写持久存储器(例如，闪存、备用电池RAM和/或其他类型的存储器）。 [0040] The nonvolatile memory 208 includes an erasable persistent memory (e.g., flash memory, battery backup RAM, and / or other types of memory).在图2所示的示例中，非易失性存储器208存储与操作系统234相关联的指令和数据、为移动设备200提供各种类型功能的程序236以及其他类型的信息。 In the example shown in FIG. 2, the nonvolatile memory 208 stores operating system 234 instructions and associated data, to provide various types of functionality program 236 and mobile device 200 other types of information.非易失性存储器208可以包括用于便于在设备上存储数据项目的文件系统。 The nonvolatile memory 208 may include data items for facilitating storing of the file system on the device.例如，操作系统234、程序236和/或在微处理器202上执行的其他模块可以通过访问（例如，读取、写入等)在非易失性存储器208上提供的文件系统，来对数据进行存储、检索、修改、删除和/或其他操作。 For example, operating system 234, programs 236 and / or other modules executing on the microprocessor 202 can access (e.g., read, write, etc.) in the file system provided on the nonvolatile memory 208 to the data store, retrieve, modify, delete, and / or other operations.

[0041 ]在非易失性存储器208和/或在移动设备200上的其他计算机可读介质中存储的数据可以包括用户应用数据、文本文件、图像文件、语音邮件数据以及由用户在移动设备200 处产生的或由移动设备200所接收和存储的其他数据。 [0041] The data in the nonvolatile memory 208 and / or other computer on the mobile device 200 readable storage medium may include user application data, text files, image files, voice messages and data in the mobile device 200 by the user or other data generated at the received and stored by the mobile device 200.用户应用数据可以包括:例如，电子邮件消息数据、地址簿数据、联系人信息数据、日程约会数据、即时消息数据、SMS消息数据、 语音邮件数据、用户进入数据和/或其他类型的应用数据。 User application data may include: for example, an email message data, address book data, contact information data, schedule appointments data, instant messaging data, SMS data messages, voice mail data, the user enters data and / or other types of application data.语音邮件数据可以包括数字化音频记录和/或在消息传送应用中可查看的存根(stub)条目，该存根条目指示在另一位置所存储的语音邮件消息的可用性。 Voice mail data may comprise digitized audio recording and / or in the messaging application can view the stub (Stub) entry, the entry indicates the availability stub voicemail messages stored in another location.用户输入的数据可以包括基于文本的、图形的或用户加载到移动设备200上的其他多媒体文件。 The user input data may include other multimedia files to be loaded on the mobile device 200 text-based or graphical user.

[0042]操作系统234控制移动设备200的低级功能并便于程序236的操作。 [0042] The operating system 234 controls the low-level functions of the mobile device 200 and 236 to facilitate operating procedures.例如，操作系统234可以提供一个或更多个程序236和移动设备200上一个或更多个硬件组件之间的接口。 For example, operating system 234 may provide one or more programs on the interface between mobile device 236 and 200 the one or more hardware components.程序236包括可由微处理器202(和/或在一些情况下的DSP260)执行的计算机程序模块。 Program comprising computer program modules 236 the microprocessor 202 (and / or DSP260 in some cases) may be performed.在一些实施方式中，一个或更多个程序236由微处理器202执行，并且提供用户和移动设备200 之间的高级接口。 In some embodiments, the one or more programs 236 executed by the microprocessor 202 and provide a high-level interface between a user and the mobile device 200.由程序236提供的用户接口一般包括通过显示器210提供的图形组件，并可以附加地包括通过辅助I/O设备212、键盘216、扬声器218和/或麦克风220提供的输入/输出组件。 The user interface provided by the program 236 typically includes a graphical component provided by the display 210, and 212 may additionally include, a keyboard 216, a speaker 218 and / or microphone 220 provided through the auxiliary I / O device input / output component.操作系统、特定设备应用或程序236或其部分可以临时地被装载到易失性存储器(例如RAM3226)中用于更快的操作。 Operating system, specific device applications or programs 236, or portions thereof, may be temporarily loaded into a volatile memory (e.g. RAM3226) for faster operation.此外，在向非易失性存储器208中的文件系统中永久地写入所接收的通信信号之前，可以将所接收的通信信号临时地存储到RAM206。 Further, before writing the received communication signal to the nonvolatile memory 208 permanently in the file system, it received communication signals may be temporarily stored in the RAM206.

[0043]非易失性存储器208中存储的程序236可以包括:例如，消息应用、日历应用、一个或更多个第三方应用以及其他类型的应用。 [0043] The non-volatile memory 236 may include memory 208: for example, a messaging application, a calendar application, one or more third-party applications and other types of applications.程序236可以包括附加的或不同的模块、程序或应用(例如，个人信息管理器(PM)模块、连接模块、设备状态模块、IT策略模块、多服务平台管理器和/或其他模块）。 Program 236 may include additional or different modules, programs or applications (for example, personal information manager (PM) module, a connection module, device state module, IT policy module, multi-service platform manager and / or other modules).程序236可以包括控制基本设备操作的程序，一般在移动设备200 的制造和/或初始化配置期间，将程序236安装到移动设备200上。 Program 236 may comprise program control basic device operations, and typically during manufacture of the mobile device 200 and / or the initial configuration, the program 236 installed on the mobile device 200.可以在移动设备200的制造和初始化配置之后，添加其他类型的软件应用（例如，第三方应用和/或其他类型的模块）。 After the initialization can be manufactured and the configuration of the mobile device 200, to add other types of software applications (e.g., third party applications, and / or other types of modules).第三方应用的示例包括游戏、工具、因特网应用等。 Examples of third party applications include games, tools, and other Internet applications.通常，可以在任何时间更新和/或修改程序236中任意一个。 Typically, update and / or modify the program 236 at any time any one.可以通过无线网络、辅助I/O设备212、数据端口214、短距离通信子系统222以及任意其他设备子系统224,将附加应用和/或应用的更新装载到移动设备200 上。 Can be on a wireless network, an auxiliary I / O device 212, data port 214, short-range communications subsystem 222 and any other device subsystems 224, updates the additional applications and / or application loaded onto the mobile device 200.非易失性存储器208还可以存储密钥235,密钥235可以包括加密密钥和解密密钥，以及用于移动设备200和服务器之间通信的寻址信息。 The nonvolatile memory 208 may also store key 235, the key 235 may include an encryption key and a decryption key, and addressing information for communication between mobile device 200 and server.

[0044]非易失性存储器208可以包括询问器模块。 [0044] The nonvolatile memory 208 may include a query module.例如，询问器模块可以实现为微处理器202执行的软件模块。 For example, the interrogator module may be implemented as software modules executed by microprocessor 202.询问器模块可以包括图1的询问器模块108的特征和属性，或可以是不同类型的询问器模块。 Query module 108 may include features and attributes of the interrogation module in FIG. 1, or may be a different type of query module.移动设备200的询问器模块可以与移动设备200的附件进行通信，例如用于认证该附件。 The mobile device query module 200 can communicate with an accessory mobile device 200, for example, for authenticating the attachment.在一些示例中，询问器模块认证电池230、S頂卡和/或与移动设备200相关联的其他内部或外部组件或设备。 In some examples, the interrogator authentication module battery 230, or other internal or external components of apparatus 200 associated with the top card S and / or the mobile device.因此，电池230、S頂卡和/或与其他内部或外部组件或设备可以包括认证模块(例如，图1的认证模块104或不同类型的认证模块）。 Thus, the battery 230, S top card and / or with other internal or external device or component may include an authentication module (e.g., the authentication module 104 of FIG. 1 or a different type of authentication module).

[0045]在一些示例中，电池230包括通过电池接口232的终端发送的电压调制信号与询问器模块进行通信的认证模块。 [0045] In some examples, the battery 230 comprises a voltage modulated signal transmitted by the interrogation module battery terminal authentication module interface 232 is in communication.例如，电池230可以通过电池接口232的终端发送的电压调制信号，向微处理器202发送认证请求，从微处理器202接收质询消息，并向微处理器202发送回复消息。 For example, the battery voltage modulation signal 230 may be transmitted through the terminal of the battery interface 232, microprocessor 202 sends an authentication request, receiving a challenge message from the microprocessor 202, and microprocessor 202 sends a reply message.微处理器202可以将来自电池230的电压调制信号转换为可由询问器模块处理的消息。 The microprocessor 202 may be a voltage modulated signal from the battery 230 is converted by the message processing module of the interrogator.类似地，微处理器202可以将来自询问器模块的消息转换为向电池230发送的电压调制信号。 Similarly, the microprocessor 202 may be a message from the interrogator module into a voltage modulated signal transmitted to the battery 230.

[0046]图3中的示意图示出了在制造过程300期间管理针对认证设备的认证数据的示例技术。 Diagram in [0046] FIG. 3 shows exemplary management technique during the manufacturing process 300 for authentication data in the authentication device.制造过程300包括可以以所示顺序或以不同顺序执行的相同的、附加的或不同的操作。 300 includes a manufacturing process can be performed in the order shown or a different order to the same, additional, or different operations.制造过程300可以用于制造任意数量的完全相同、相似或不同类型的产品。 Process 300 may be used to manufacture any number of manufacturing identical, similar or different types of products.例如，制造过程300可以用于大规模生产、订制生产和其他类型的生产。 For example, the manufacturing process 300 may be used for large-scale production, and the production of other types of custom production.产品318可以包括单个组件，或者产品318可以包括处所示产品组件316之外的多个产品组件。 318 may comprise a single component product, or the product 318 may include a plurality of product components than the illustrated assembly 316 product.

[0047]示例制造过程300的实施方式可以包括未具体示出或描述的各种传统制造技术和子过程。 [0047] exemplary embodiment of a manufacturing process 300 may include a variety of conventional manufacturing techniques and sub-processes not specifically shown or described.例如，制造过程300的各种实施方式可以包括:材料处理操作、制造操作、装配操作、 定形操作、构建操作和其他类型的制造操作。 For example, various embodiments of a manufacturing process 300 may include: a material processing operation, manufacturing operation, assembly operations, setting operation, and other types of operations to build manufacturing operation.可由示例制造过程300制造的产品的具体示例是移动设备电池。 Specific examples of exemplary manufacturing process 300 may be fabricated product is a mobile device battery.尽管制造过程300的特定方面是关于移动设备电池的特定示例进行描述的，制造过程300可以用于包括或使用认证设备的任何其他类型的产品。 Although certain aspects concerning the manufacturing process 300 is a specific example of the mobile device battery will be described, the manufacturing process 300 may be used to include any other type of product or device authentication.其他类型的产品的示例包括:针对移动设备、印刷系统、成像系统、赌博系统等的其他类型的附件或组件。 Examples of other types of products include: other types of accessories or components for mobile devices, printing systems, imaging systems, gaming systems and the like.[0048]如图3所示，制造过程300涉及以下多个实体的操作和交互:产品管理者302、认证设备制造商306、产品制造商304和组件制造商308。 [0048] 3, to the interactive operation of a plurality of entities 300 and the manufacturing process: product manager 302, the authentication device manufacturer 306, product manufacturers and component manufacturers 304 308.产品管理者302关心产品制造商304的产品安全生产。 Product manager 302 care product manufacturer product safety production 304.在一些实施方式中，产品管理者302是发包公司，并且产品制造商304是承包制造商。 In some embodiments, the product is contracted company manager 302, and 304 is a contract manufacturer of the product manufacturer.

[0049]产品制造商304使用组件制造商308来制造产品318的组件。 Components [0049] Manufacturer 304 uses the components 308 to manufacture products manufacturer 318.在一些实施方式中，产品制造商304是承包制造商（由产品管理者302承包），并且组件制造商308是分包制造商。 In some embodiments, the manufacturer of the product 304 is a contract manufacturer (manager 302 contract by the product), and 308 is a sub-component maker manufacturer.例如，当产品318是移动设备电池时，产品管理者302可以是分发移动设备电池的移动设备公司，产品制造商304可以是电池制造商，认证设备制造商306可以是半导体制造商，并且组件制造商308可以是电路制造商。 For example, when the product 318 is a mobile device battery, the product distribution manager 302 may be a mobile device battery mobile device companies, product manufacturers 304 may be a battery manufacturer and the manufacturer authentication device 306 may be a semiconductor manufacturer, manufacturing and assembly List 308 may be a circuit manufacturers.组件制造商308或认证设备制造商306可以实现比例如产品制造商304低等级的信息安全保障。 Component manufacturer 308 or the authentication device manufacturer 306 can be implemented as the ratio of security information 304 Manufacturer low level.

[0050]在一些实施方式中，产品管理者302向产品制造商304提供产品规格，并且该产品规格包括与认证设备318有关的规格。 [0050] In some embodiments, the manager 302 provides the product specifications to the product manufacturer 304, and the product specifications include specifications related to the authentication device 318.认证设备制造商306生产认证设备314,产品制造商304将该认证设备314包括在产品318中。 The authentication device manufacturer authentication device 314 306 produced, Manufacturer 314 304 The authentication device 318 included in the product.产品管理者302可能不会完全信任认证设备制造商306、组件制造商308和产品制造商304中的一个或更多个。 Product not fully trust manager 302 may authenticate 306 the device manufacturer, the component manufacturer and the product manufacturers 308 304 one or more.因此，产品管理者302可能不希望认证设备制造商306能够在没有产品管理者302的认可的情况下生产认证设备314的功能版本。 Therefore, the product manager 302 may not want authentication device manufacturer authentication device 306 can produce functional version of the 314 in the absence of product managers approved 302 cases.此外，产品管理者302不希望产品制造商304能够过产有效产品318。 In addition, the manager 302 does not want the product Manufacturer 304 318 products can be effectively produced through.相似地，产品管理者302不希望认证设备制造商306或组件制造商308能够将有效认证设备转移到伪造市场。 Similarly, the manager 302 does not want the product authentication apparatus Manufacturer Manufacturers assembly 306 or 308 can be effectively transferred to counterfeit the authentication device market.[00511 在图3所示示例中，将加密认证数据310a传递给认证设备制造商306。 [00511 In the example shown in Figure 3, the encrypted authentication data 310a is transmitted to the authentication device manufacturer 306.认证设备314 可以具有序列号或其他标识信息。 The authentication device 314 may have a serial number or other identifying information.认证设备制造商306将该标识信息和认证数据置于认证设备314中。 The authentication device 306 the manufacturer identification information and authentication data into the authentication device 314.认证设备制造商306可以将认证数据(例如，私有密钥、公共密钥、证书等）的完整集合置于认证设备314中。 The authentication device manufacturer authentication 306 may be a complete set of data (e.g., private key, public keys, certificates, etc.) of the authentication device 314 is placed.所置认证数据的全部或部分可以包括已加密认证数据310a。 All or part of the authentication data set may include encrypted authentication data 310a.所置认证数据还可以包括未加密的认证数据。 The authentication data set may further include a non-encrypted authentication data.已加密认证数据310a可以包括：已加密密钥数据(例如，已加密公共密钥值、已加密私有密钥值或两者）、已加密证书数据或加密格式的任意其他类型的认证数据。 310a encrypted authentication data may include: encrypted key data (e.g., encrypted public key value, the encrypted private key value, or both), any other type of encrypted authentication data or encrypted format of the certificate data.例如，已加密认证数据310a可以包括图1所示的密钥数据113或证书数据114的全部或部分的加密版本。 For example, the encrypted authentication data 310a may include all or part of the encrypted version of the key data shown in FIG. 1 114 113 or certificate data.在一些示例中，产品管理者302可以信任认证设备制造商306来生产已加密认证数据310a，并且在一些示例中，产品管理者302可能希望由自身或另一方来生产这种加密材料。 In some examples, the product manager 302 can trust the authentication device manufacturer 306 to produce the encrypted authentication data 310a, and in some examples, a product manager 302 itself or it may be desirable to produce such other cryptographic material.

[0052]将解密数据312传递给产品制造商304。 [0052] The decrypted data 312 is transmitted 304 to the product manufacturer.例如，可以由信使(couri er)或由另一安全信息分发方案，通过安全通信信道传递该解密数据312。 For example, or delivered by courier (couri er) by another security information distribution scheme through a secure communication channel 312 the decrypted data.因为解密数据312-般在大小上比认证数据小，所以传送给产品制造商304的数据量实质上可以少于认证设备314上认证数据的量。 Because decrypt data 312--like in size smaller than the authentication data, the amount of product delivered to the manufacturer data 304 may be substantially on the amount of authentication data authentication device is less than 314.在一些示例中，可以通过低速率安全通信技术将解密数据312传递给产品制造商304。 In some examples, a low rate by secure communication techniques decrypted data is passed to the Manufacturer's 304,312.解密数据312包括需要对已加密认证数据310a进行解密的信息。 312 includes data necessary to decrypt the encrypted authentication information decrypting data 310a.例如，解密数据312可以包括秘密密钥值。 For example, the decrypted data 312 may include a secret key value.作为另一示例，如果认证数据包括可根据秘密值重构的证书(例如，ECQV隐式证书），则解密数据312可以包括重构该证书所需的秘密值。 As another example, if authentication data comprises a certificate in accordance with (e.g., the ECQV implicit certificate) reconstructed secret value, the decrypted data 312 may include a secret value needed to reconstruct the certificate.

[0053] 认证设备制造商向组件制造商308提供认证设备314。 [0053] The authentication device manufacturer authentication apparatus 314 to the component 308 manufacturer.组件制造商308制造组件316,组件316包括认证设备314。 Manufacturer 308 manufactured component assembly 316, assembly 316 includes an authentication device 314.组件制造商308向产品制造商304提供组件316。 Component manufacturers to provide components 308 316 304 to the product manufacturer.在图3所示示例中，在将认证设备314提供给产品制造商304之前，存储在认证设备314上的认证数据包括已加密认证数据310a。 In the example shown in FIG. 3, prior to the authentication device 314 is supplied to the manufacturer of the product 304, the authentication data stored on the authentication device 314 includes the encrypted authentication data 310a.因此，在将认证设备314提供给产品制造商304之前，认证设备314 不具有产生有效回复消息的信息资源需求。 Therefore, before the authentication device 314 is supplied to the manufacturers of products 304, authentication device 314 does not have to produce an effective information resource demand reply message.

[0054]产品制造商304使用信息管理系统305来基于解密数据312对已加密认证数据310a 进行解密。 [0054] Manufacturer 304 using the information management system 305 to the decryption 310a decrypts the encrypted authentication data 312 data.对已加密认证数据310a的解密产生未加密认证数据310b，然后将未加密认证数据310存储在认证设备314上。 Produce an unencrypted authentication data 310b decrypts the encrypted authentication data 310a, and then the encrypted authentication data 310 is not stored on the authentication device 314.可以例如基于对称加密方案（例如，AES、三DES等）、非对称加密方案(例如，ECC、RSA等)或另一类型的加密方案，执行认证数据的加密和解密。 May for example be based on symmetric encryption scheme (e.g., AES, triple-DES, etc.), asymmetric encryption scheme (e.g., ECC, RSA, etc.) or another type of encryption scheme, performs encryption and decryption of authentication data.所使用的解密密钥的数目可以由产品管理者302确定。 The number of decryption keys to be used may be determined by the product manager 302.例如，产品管理者302可以针对给定时问段，将一个或更多个解密密钥分配给给定产品制造商304。 For example, a product manager 302 may ask for a given time period, one or more decryption keys assigned to a given product manufacturer 304.

[0055]信息管理系统305-般包括安全地存储解密数据312并对已加密认证数据310a进行解密的计算系统。 [0055] The information management system 305 generally comprises securely storing decrypted data 312 and encrypted authentication data 310a for the computing system to decrypt.例如，信息管理系统305可以包括硬件安全模块(HSM)或具有密码学能力的另一类型的计算设备。 For example, the information management system 305 may include a hardware security module (HSM) having cryptographic capability, or other type of computing device.信息管理系统305可以包括信息存储子系统和信息处理子系统。 Information management system 305 may include an information storage subsystem and processing subsystem information.信息存储子系统可以包括以安全方式存储解密数据312的存储器或另一类型的计算机可读介质。 An information storage subsystem may include secure storage 312 to decrypt the data memory or another type of computer-readable media.信息处理子系统可以包括例如通过评估密码函数来执行解密操作的数据处理装置。 The information processing subsystem may comprise, for example, a data processing apparatus to perform a decryption operation by evaluating cryptographic function.在一些示例中，信息管理系统305实现图5所示的处理500中的一些或所有，或用于管理认证数据的另一技术。 Another technique for processing some or all of 500, or for managing the authentication data in some examples, the information management system 305 are shown in FIG. 5.在一些实施方式中，信息管理系统305中的一些或所有可以由产品管理者302或除产品制造商304以外的另一实体来实现。 In some embodiments, the information management system 305, some or all of the product may be implemented by the manager 302 or another entity other than the manufacturer of the product 304.例如，不将解密数据312提供给产品制造商304或除了将解密数据312提供给产品制造商304之外，产品管理者302可以保留解密数据312。 For example, the decrypted data 312 is not provided to the product manufacturer 304 or 312, except that the decrypted data is supplied to the product manufacturer than 304, product manager 302 decrypt data 312 can be retained.在这种情况下，信息管理系统305可以在产品管理者302处对已加密认证数据310a的所有或部分进行解密。 In this case, the information management system 305 may decrypt manager 302 in the product all or part of the data of the encrypted authentication 310a.信息管理系统305还可以保留已经激活认证设备的日志信息。 Information management system 305 may also retain authentication device has been activated log information.可以由与信息管理系统305相关联的安全硬件对日志信息进行保护。 Log information can be protected by the security hardware and information management system 305 is associated.该日志信息可由产品管理者302 检查。 The log manager 302 checks the product information may be.

[0056] 信息管理系统305可以：访问存储在认证设备314上的已加密认证数据310a，通过对已加密认证数据310a进行解密来产生未加密认证数据310b，并将该未加密认证数据310b 存储在认证设备314上。 [0056] The information management system 305 may: access the encrypted authentication data stored on the authentication device 314 310a, by decrypting the encrypted authentication data 310a to produce an unencrypted authentication data 310b, and 310b of the unencrypted data is stored in the authentication the authentication device 314.信息管理系统305可以包括通信接口，该通信接口被适配为访问存储在认证设备314上的信息。 Information management system 305 may include a communication interface, the communication interface is adapted to access information stored on the authentication device 314.例如，认证设备314可以包括诸如图1的通信接口116的接口，并且信息管理系统305可以包括被适配为与通信接口116或认证设备的另一接口进行通信的模块。 For example, the authentication device 314 may include an interface, such as communication interface 116 in FIG. 1, and the information management system 305 may further include an interface adapted to the communication interface 116 or the authentication device for communicating.作为另一示例，信息管理系统305可以包括被适配为与移动设备电池进行通信的电池接口（例如，与图2的移动设备200的电池接口232相似）。 As another example, the information management system 305 may be adapted to include a battery interface for communicating with the mobile device battery (e.g., battery interface 232 similar to the mobile device 200 of FIG. 2).

[0057]在图3所示示例中，产品制造商304使用从组件制造商308接收的组件316，制造产品318。 [0057] In the example shown in FIG. 3, the product manufacturer 304 using components as received from the manufacturer 308 316, 318 manufactured products.然后，信息管理系统305可以将未加密的认证数据310b存储在认证设备314上，并且可以将所制造的产品318提供给产品管理者302。 Then, the information management system 305 may be encrypted authentication data 310b is not stored on the authentication device 314, and may be manufactured products to the product manager 318 provides 302.因为当产品318离开产品制造商304时，产品318包括具有未加密认证数据的完整集合的认证设备314,所以产品318可由询问器进行认证。 Because the product 318 when the product 304 left the manufacturer, the product comprising an authentication device 318 with the unencrypted complete set of authentication data 314, the product 318 may authenticate the interrogator.例如，认证设备314可以在询问设备询问时产生有效回复消息。 For example, the authentication device 314 may generate a reply message when the valid interrogation device query.在一些实施方式中，可以将产品318包括在另一产品中、单独地售卖或以另一方式处理。 In some embodiments, the product 318 may be included in another product, sold separately or in another manner.

[0058]在图3所示示例的一些方面，认证设备314可以为已加密认证数据310a提供通信路径。 [0058] In some aspects of the example shown in FIG. 3, the authentication device 314 may provide a communication path to the encrypted authentication data 310a.在一些实施方式中，仅对认证数据的一部分进行加密。 In some embodiments, only a portion of the authentication data is encrypted.例如，已加密认证数据310a可以仅包括证书数据上的证书权威机构的签名，并且认证设备制造商306可以将附加的非加密认证存储在认证设备314上。 For example, the encrypted authentication data 310a may include only the signature of a certificate authority on the certificate data, the authentication device 314 and the authentication device manufacturer 306 can be attached in a non-encrypted stored authentication.在一些情况下，对比所有认证数据少的认证数据进行加密提高了效率并提供可以用于跟踪并控制认证设备314的信息，而不需要允许认证设备314被使用。 In some cases, less than all comparative authentication data is encrypted authentication data to improve efficiency and provide a device for tracking and controlling the authentication information 314, without the need to allow the authentication device 314 is used.

[0059]图4是示出了用于在制造过程期间管理认证数据的示例过程400的流程图。 [0059] FIG 4 is a flowchart illustrating an example process for managing authentication data during the manufacturing process 400.一般来说，过程400可以结合任意类型的制造过程来实现。 In general, the process 400 may be combined with any type of manufacturing process is achieved.例如，过程400可以实现为图3所示的制造过程300的部分，或作为不同类型的制造过程的部分。 For example, process 400 may be implemented as part of the manufacturing process shown in FIG. 3 300, or as part of a manufacturing process of a different type.

[0060] 所描述的示例过程400是关于制造包括多个组件的产品，并且组件由组件制造实体提供。 [0060] The example process 400 described with regard to manufacturing a product comprising a plurality of components, and a component provided by the component manufacturer entity.例如，产品可以是移动设备电池或针对移动设备的另一类型的附件。 For example, a mobile device product may be a battery or another type of accessory for the mobile device.在移动设备电池的示例中，产品组件可以包括电池芯、电池控制台、电池接口、电池芯片、电池认证设备或移动设备电池的这些和其他组件的任意组合。 In the example mobile device battery, product assembly may include any combination of battery cells, the battery console, these and other components of the battery interface, a battery chip, a battery authentication device or mobile device battery.在一些实施方式中，过程400可以被适配为： 结合其他类型的产品或一般地任意制品的制造使用。 In some embodiments, the process 400 may be adapted to: in conjunction with other types of product manufacturing, or generally any article.例如，产品可以是针对电子设备、装置、车辆、计算系统、消费者产品等的电池或另一类型组件。 For example, the product may be an electronic apparatus, device, a vehicle computing system, consumer products, such as a battery or another type of component.过程400可以包括按所示顺序和/或以不同顺序执行的相同、附加或不同操作。 Process 400 may comprise in the order shown and / or performed in a different order of the same, different, or additional operations.在各种实施方式中合适的情况下，可以重复、迭代或省略一个或更多个操作。 In various embodiments, where appropriate, may be repeated one or more iteration or operation will be omitted.在一些实施方式中，可以对过程400中一个或更多个操作进行迭代，例如，直到达到终止条件。 In some embodiments, the iteration may be performed for one or more operations 400 process, for example, until a termination condition is reached.

[0061] 图4中所示示例过程400包括制造过程中所涉及的三个示例实体所执行的操作。 As shown in the example process [0061] FIG. 400 includes three example operating entities involved in a manufacturing process being performed.第一实体是产品管理实体402,产品管理实体402对产品负责。 The first entity is the entity 402 product management, product management entity 402 responsible for the product.第二实体是产品制造实体404， 产品制造实体404负责制造产品并将所制造的产品提供给产品管理实体402。 The second entity is a manufacturing entity 404, 404 manufacturing entity responsible for manufacturing products and manufactured products to the product management entity 402.第三实体是组件制造实体406,组件制造实体406负责将产品组件提供给制造实体404。 The third entity is an entity 406 component manufacturing, component manufacturing entity 406 is responsible for product components to provide a manufacturing entity 404.组件制造实体406 所提供的组件包括认证设备。 Components as manufacturing entity 406 include an authentication device.例如，组件制造实体406可以提供认证设备作为单独组件，或者组件制造实体406可以提供包括认证设备的组件。 For example, component manufacturing entity authentication device 406 may be provided as a separate component, or component assembly manufacturing entity 406 may be provided include authentication device.在各种实施方式中合适的情况下，过程400可以由不同数量的实体(包括附加的或不同类型的实体)来实现。 In various embodiments, where appropriate, the process 400 may be implemented by a number of different entities (including additional or different types of entities).

[0062]在410,产品管理实体402获得产品认证数据。 [0062] The authentication data 402 to obtain product 410, the product management entity.例如，产品认证数据可以包括:证书数据、密钥数据或另一类型的认证数据。 For example, the product data may include authentication: certificate data, key data or another type of authentication data.在一些实施方式中，获得产品认证数据包括:产生证书数据或从证书权威机构接收证书数据。 In some embodiments, the product is obtained authentication data comprising: generating certificate data or data received from the certificate authority certificate.在一些实施方式中，获得产品认证数据包括:推导与密钥对有关的一个或更多个值，或从加密模块接收一个或更多个密钥对值。 In some embodiments, the product is obtained authentication data comprises: deriving a key pair associated with one or more values, or receiving one or more modules from the encryption key value.

[0063] 在412,产品管理实体402对产品认证数据进行加密。 [0063] At 412, product management, product certification entity 402 pairs of data encryption.在一些实施方式中，另一实体对产品认证数据进行加密。 In some embodiments, the product of another entity authentication data is encrypted.例如，当在410获得产品认证数据时，可以对产品认证数据进行加密。 For example, when the product is obtained in the authentication data 410, the product may be encrypted authentication data.可以使用基于密钥的加密方案对产品认证数据进行加密。 You can use key-based encryption scheme for product certification to encrypt data.例如，可以根据对称加密方案、非对称加密方案或另一类型的方案对产品认证数据进行加密。 For example, according to a symmetric encryption scheme, an asymmetric encryption scheme or another type of product authentication scheme to encrypt the data.因此，可以使用私有密钥值或另一类型的解密数据对已加密认证数据进行解密。 Thus, the encrypted authentication data can be decrypted using the private key value, or another type of decrypted data.在420,将已加密认证数据发送给组件制造实体406。 At 420, the encrypted authentication data 406 to a device manufacturing entity.

[0064]在422,将解密数据发送给产品制造实体404。 [0064] At 422, the decrypted data to a manufacturing entity 404.解密数据可以包括:例如，可用于对已加密产品认证数据进行解密的秘密值(例如，私有密钥值），用于对产品认证数据进行加密(在412)的加密方案的标识，所使用的加密方案的参数或这些和其他数据的组合。 Decrypting data may include: for example, can be used to decrypt a secret value (e.g., a private key value) of the encrypted certification data for identifying the encryption scheme to encrypt the authentication data item (at 412), used or combinations of these parameters and other data encryption scheme.例如， 如果ECC加密方案使用公共密钥值在412对产品认证数据进行加密，则在422发送的解密数据可以包括:私有密钥值(与公共密钥值相对应)和用于加密的ECC参数的标识。 For example, if the ECC value using a public key encryption scheme to encrypt the authentication data item 412, then the decrypted data 422 may be transmitted comprising: a private key value (value corresponding to a public key) for encryption parameter ECC identity.在一些示例中，通过安全通信信道传输该解密数据，或将其安全地运送到产品制造实体404。 In some examples, the transmission of the decrypted data via a secure communication channel, or be transported safely to manufacturing entity 404.

[0065] 在414，组件制造实体406获得认证设备。 [0065] obtained in authentication apparatus 414, the component manufacturing entity 406.例如，组件制造实体406可以：制造该认证设备，从另一实体接收该认证设备或以另一方式获得该认证设备。 For example, component manufacturing entity 406 may: manufacturing the authentication device, the authentication device receives from another entity or in another way to obtain the authentication device.在426，组件制造实体406 将已加密产品认证数据存储在该认证设备上。 In the manufacturing entity 426, component 406 is encrypted on the authentication device authentication data stored in the product.例如，该已加密产品认证数据可以存储在认证设备的存储器或另一类型的计算机可读介质中。 For example, the encrypted authentication data item may be stored in a memory or another type of computer-readable media authentication device.然后，可以通过运送该认证设备自身来运送或传送该已加密产品认证数据。 It can then transfer itself to transport or by shipping the product authentication device that has been encrypted authentication data.

[0066]在432，产品制造实体404获得要包括在产品中的产品组件。 [0066] At 432, the product comprises a manufacturing entity 404 to obtain the product in the product assembly.该产品组件可以包括： 由产品制造实体404制造的组件、由组件制造实体406制造的组件或由这些和其他实体的任意组合制造的组件。 The product assembly may include: a component manufacturing entity 404 manufactured by the manufacturing entity components 406 components manufactured from these components, or any combination of other entities and manufactured.在图4所示示例中，产品制造实体404从组件制造实体406获得认证设备。 In the example shown in FIG. 4, the product manufactured from the manufacturing entity 404 to obtain the authentication device 406 assembly entity.例如，产品制造实体404可以获得包括认证设备的产品组件(例如，印刷电路板或另一类型的组件），或者产品制造实体404可以获得认证设备作为单独组件。 For example, product manufacturing entity 404 may obtain the product component (e.g., a printed circuit board or another type of component) comprises an authentication device, or manufacturing entity authentication device 404 can be obtained as a separate component.

[0067]在434,产品制造实体404制造该产品。 [0067] In the manufacture of the product 434, the product 404 manufacturing entity.可以通过任意类型的制造过程或相关操作来制造该产品。 The product may be produced by any type of manufacturing process or related operations.一些制造过程包括:例如，制造、构建、定形或装配组件。 Some manufacturing processes include: for example, manufacturing, construction, amorphous or fitting assembly.一般来说，制造过程可以包括这些和其他类型的制造操作和子过程的任意组合。 In general, the manufacturing process may include any combination of these and other types of manufacturing operations and the sub-processes.制造过程可以由单个实体或由多个不同实体在一个或更多个位置执行。 Manufacturing process may be performed by a single entity or by a plurality of different entities in one or more positions.

[0068] 在436,组件制造实体404对存储在该认证设备上的产品认证数据进行解密。 [0068] 436 is decrypted, the product authentication device manufacturing entity 404 pairs of data stored on the authentication device.例如， 在434可以对在412进行加密的并在426存储到认证设备上的产品认证数据进行解密。 For example, 434 can be encrypted and decrypted pair 412 to the product authentication data 426 stored in the authentication apparatus.可以使用在422接收的解密数据对该产品认证数据进行解密。 422 may be used to decrypt the data in the received data is decrypted certification.将已解密产品认证数据存储到认证设备上使该认证设备能够产生有效回复消息。 The decrypted authentication data item stored on the authentication device to enable the device to generate a valid authentication reply message.例如，一些认证设备被配置为：响应于从询问设备接收到询问消息，提供回复消息，并且该认证设备访问或使用认证数据来提供回复消息。 For example, some of the authentication device is configured to: in response to a query from a device receiving the inquiry message, to provide the reply message, and the authentication using the authentication device to access data or provide a reply message.如果没有未加密的认证数据，认证设备可能缺乏用于提供可由询问设备认证的回复消息所需的信息资源(例如，密钥数据、证书数据等）。 If there is no encrypted authentication data, the authentication device may lack resources for providing the information required by the device authentication inquiry reply message (e.g., key data, certificate data, etc.).在440,产品制造实体404将产品提供给产品管理实体402。 At 440, a product manufacturing entity 404 is provided to the product management entity 402.

[0069]在图4所示的过程400的一些实施方式中，可以使用图5所示的过程500执行解密操作（在436)的全部或部分。 [0069] In the process shown in FIG. 4 Some embodiments of the method 400 may be used in the process shown in FIG. 5 500 performs decrypting operation all or a portion (436) of.尽管在已经制造产品之后由产品制造实体404执行图4中的解密操作436,但可以在其他时间并且由其他实体执行该解密操作的全部或部分。 Although the manufacturing entity 404 performs a decryption operation in FIG 4 after the product has been manufactured products 436, but can be decrypted and all or part of the operation performed by other entities at other times.例如，产品管理实体402可以对认证数据的全部或部分进行解密。 For example, product management entity 402 may decrypt all or part of the authentication data.在另一示例中，可以在已经完成制造过程之后（例如，在产品已经到达包装设施、分发商设施、零售地点或终端用户之后），对认证数据的全部或部分进行解密。 (For example, after the product has reached the packaging facilities, distributors facilities, retail locations or end user) In another example, it may be after the manufacturing process has been completed, all or part of the authentication data is decrypted.

[0070] 在图4中所示的过程400的一些实施方式中，可以将相同的已加密产品认证数据存储在多个不同认证设备上。 [0070] In the process shown in FIG. 4 in some embodiments, 400 may be the same plurality of different encrypted authentication device authentication data stored in the product.例如，产品管理实体402可以获得(在410)要与多个不同认证设备一起使用的单个产品认证数据集合。 For example, product management entity 402 may be obtained (at 410) for a set of a plurality of different product for use with a single authentication device authentication data.在这种情况下，可以对该产品认证数据集合进行加密(在412)并发送(在420)到认证设备制造实体406,然后将该已加密认证数据集合存储到多个不同认证设备上(在426)。 In this case, the set of encryption (at 412) the certification data and sends (at 420) to the authentication device manufacturing entity 406, then the encrypted authentication data set has been stored in a plurality of different authentication devices (in 426).

[0071] 在图4中所示的过程400的一些实施方式中，可以使用相同的加密方案对不同的认证数据集合进行加密。 [0071] In the process shown in FIG. 4 in some embodiments 400, you may use the same encryption scheme different set of authentication data is encrypted.例如，产品管理实体402可以获得(在410)针对不同认证设备的不同认证数据集合，并且产品管理实体402可以使用相同的加密密钥对所有不同的认证数据集合进行加密(在412)。 For example, product management entity 402 may be obtained (at 410) for different authentication data a different authentication devices set, and product management entity 402 may use the same encryption key for all the different set of authentication data is encrypted (at 412).在这种情况下，可以将该已加密认证数据集合发送(在420)到认证设备制造实体406,并可以将该已加密认证数据集合中的每个存储（在426)到不同认证设备上。 In this case, the encrypted authentication data set transmitted (at 420) to the authentication device manufacturing entity 406, and the encrypted authentication data may be set in each of the memory (426) to different authentication devices.

[0072]因此，在图4所示的过程400的一些实施方式中，相同的解密数据可用于对存储在多个不同认证设备上的产品认证数据进行解密。 [0072] Thus, in the process shown in FIG. 4 in some embodiments of 400, the same product can be used to decrypt the authentication data stored in a plurality of different data authentication apparatus decrypts.例如，可以将该解密数据发送(在422)到产品制造实体404,并然后用于对存储在多个不同认证设备上的认证数据进行解密(在436)。 For example, the decrypted data can be transmitted (at 422) to the product manufacturing entity 404, and then for a plurality of authentication data stored on different authentication device decrypts (in 436).在一些实施方式中，仅关于单个设备使用已加密认证数据、解密数据或两者。 In some embodiments, the use of only a single device on the encrypted authentication data, the decrypted data, or both.

[0073]图5是示出了用于管理针对认证设备的认证数据的示例过程500的流程图。 [0073] FIG. 5 is a flowchart illustrating a data management authentication for the authentication device 500 is an example process.过程500可以用于为电池认证设备管理认证数据，如下文所述。 Process 500 may be used to manage battery authentication device authentication data, as described below.过程500还可以利用其他类型的认证设备来实现。 Process 500 may also be implemented using other types of authentication devices.例如，可以将针对另一类型的产品、组件或制造对象的认证设备替换为过程500中的电池认证设备。 For example, the replacement product for another type of authentication device, assembly or manufacturing of the object 500 during the battery authentication device.过程500包括可以以所示顺序和/或以不同顺序执行的相同的、附加的或不同的操作。 Process 500 may comprise in the order shown and / or performed in a different order of the same, additional, or different operations.当适当时，可以重复、迭代或省略一个或更多个操作。 When appropriate, may be repeated, one or more iteration or operation will be omitted.

[0074]在特定示例中，过程500可以作为制造过程的一部分来执行。 [0074] In a particular example, process 500 may be performed as part of the manufacturing process.过程500可以与制造过程分开执行。 Process 500 may be performed separately from the manufacturing process.例如，过程500的全部或部分可以实现为包装过程或运输过程的一部分，实现为初始化或使用移动设备或移动设备电池的一部分，或与其他类型的过程相结合。 For example, all or part of process 500 may be implemented as part of the packaging process or transportation process, initialization is implemented as part of a mobile device or mobile device or battery, or in combination with other types of processes.因此， 可以在各种类型的上下文中实现过程500。 Thus, process 500 may be implemented in various types of context.例如，可以在制造设施、在包装设施、在测试设施、在运输设施、在零售地点、在使用或安装电池认证设备的地点或在这些或其他地点的组合，实现过程500的全部或部分。 For example, in a manufacturing facility in the packaging facilities, testing facilities, transport facilities, in retail locations, in place of using or installing battery authentication device or a combination of these or other locations, all or part of the process 500.因此，可以在相同地点或在多个不同地点执行过程500中的操作的一些或全部。 Accordingly, some or all of the operations at the same location or in different locations in a plurality of execution 500.

[0075]在502，获得电池认证设备。 [0075] At 502, access to the battery authentication device.例如，电池认证设备可以是图1的认证模块104或另一类型的认证设备。 For example, the authentication device may be a battery module 104 of FIG authentication or another type of authentication apparatus 1.电池认证设备可以是移动设备电池或另一类型的电池的一部分。 Battery authentication device may be part of a mobile device or another type of battery cell.例如，移动设备电池可以是图2的电池230或另一类型的电池。 For example, the mobile device may be a battery cell 230 of FIG. 2 or another type of battery.

[0076]当在502获得电池认证设备时，该电池认证设备包含已加密认证数据。 [0076] When the battery is obtained in the authentication device 502, the battery authentication device containing encrypted authentication data.例如，认证设备可以包括存储已加密认证数据的任意类型的存储器或计算机可读介质。 For example, the authentication device may comprise any type of store the encrypted authentication data memory or computer-readable media.当在502获得电池认证设备时，该电池认证设备除已加密认证数据之外还可以包括附加的（未加密的）认证数据。 When the battery is obtained in the authentication device 502, the battery authentication device other than the encrypted authentication data may also include additional (unencrypted) authentication data.已加密认证数据可以包括:例如，证书数据、公共密钥数据、私有密钥数据、密码函数数据和/或其他类型的信息。 The encrypted authentication data may include: e.g., certificate data of public key data, the private key data, cryptographic function data and / or other types of information.

[0077]已加密认证数据是已经由任意类型的加密方案进行加密的认证数据。 [0077] that has been encrypted authentication data encrypted by the authentication data of any type of encryption scheme.例如，该认证数据可以由基于密钥的加密方案(包括，对称方案、非对称方案以及可能的其他类型的方案）进行加密。 For example, the authentication data may be a key-based encryption scheme (including, symmetric scheme, asymmetric schemes, and possibly other types of programs) is encrypted.对称密钥方案的示例包括AES、DES等。 Exemplary embodiment comprises a symmetric key AES, DES and the like.非对称密钥方案的示例包括RSA、ECC 等。 Example asymmetric key scheme include RSA, ECC and the like.可能需要秘密值来对已加密认证数据进行解密。 Secret value may need to decrypt the encrypted authentication data.例如，在一些实施方式中，已经通过ECC 方案使用特定公共密钥值对认证数据进行加密，并且需要对应私有密钥值来对认证数据进行高效地解密。 For example, in some embodiments, the authentication data has been encrypted using a particular public key value through the ECC scheme, the private key value and a corresponding need to efficiently decrypt the authentication data.

[0078]在认证设备上被加密的认证数据包括：当电池被询问时，电池认证设备用于提供有效回复消息的认证数据。 [0078] In the authentication device on the encrypted authentication data comprises: when the battery is asked, for providing battery authentication device authentication data valid reply message.因此，只要电池认证设备仅可以访问已加密认证数据，电池认证设备便无法针对询问提供有效回复消息。 Therefore, as long as the battery authentication device can only access the encrypted authentication data, battery authentication devices can not provide a valid reply message for the inquiry.例如，如果认证设备不能访问未加密证书数据，则认证设备不能提供包括有效证书的回复消息。 For example, if the device can not access the authentication credentials unencrypted data, the authentication device can not provide a valid certificate that includes the reply message.作为另一示例，如果认证设备不能访问未加密密钥数据，则认证设备不能针对从询问器接收的质询值产生有效响应值。 As another example, if the device can not access the authentication key data is not encrypted, the authentication apparatus can not generate a valid challenge response value for the value received from the interrogator.

[0079] 在504，从电池认证设备读取已加密认证数据。 [0079] At 504, the battery authentication device reads data from the encrypted authentication.可以由在电池认证设备和移动设备电池外部的设备或系统读取已加密认证数据。 The encrypted authentication data may be read by the authentication device and an external device or mobile device battery cell system.例如，信息管理系统可以从电池认证设备中提取已加密认证数据。 For example, the information management system may extract the encrypted authentication data from the battery authentication device.在一些实施方式中，通过移动设备电池的接口，从电池认证设备的存储器中读取已加密认证数据。 In some embodiments, the interface of the mobile device battery, the encrypted authentication data read from a memory cell in the authentication device.当读取已加密认证数据时，已加密认证数据中的全部或部分可以保留在该电池认证设备上。 When reading the encrypted authentication data, all or part of the encrypted authentication data may remain on the battery authentication device.当读取已加密认证数据时，可以从该电池认证设备中删除已加密认证数据中的全部或部分。 When reading the encrypted authentication data, you can remove all or part of the encrypted authentication data from the authentication device battery.

[0080] 在506,对已加密认证数据进行解密。 [0080] At 506, the encrypted data is decrypted authentication.对已加密认证数据进行解密产生未加密认证数据。 Decrypt produce an unencrypted authentication data encrypted authentication data.使用解密方案对该认证数据进行解密，该解密方案对应于用于对该数据进行加密的加密方案。 Decryption scheme used to decrypt the authentication data corresponding to the decryption scheme used to encrypt the data encryption scheme.例如，可以通过基于密钥的加密方案对认证数据进行解密。 For example, authentication data can be decrypted by a key-based encryption scheme.如果解密方案需要秘密值(例如，针对基于密钥的加密方案的秘密密钥），则可以分离地从电池认证设备接收该秘密值。 If the decryption solution requires a secret value (e.g., based on a secret key encryption scheme for the key), it is possible to separately receive the secret value from the battery authentication device.例如，可以从不同源通过安全信道传递该秘密值，并且该秘密值可以由信息管理系统存储。 For example, the secret value can be transmitted over a secure channel from a different source, and the values ​​may be stored by the secret information management system.

[0081 ] 在508,将已解密认证数据写入电池认证设备。 [0081] At 508, the decrypted authentication data written to the battery authentication device.该已解密认证数据可以替换电池认证设备上的已加密认证数据的全部或部分。 The decrypted authentication data may replace all or part of the encrypted authentication data, the authentication device on the battery.在一些实施方式中，在已经写入未加密认证数据之后，可以将已加密认证数据保存在电池认证设备上。 In some embodiments, after the data has been written unencrypted authentication, the encrypted authentication data may be stored in the authentication device on the battery.将已解密认证数据写入电池认证设备，使当询问电池时，认证设备能够提供有效回复消息。 The decrypted authentication data written to the battery authentication device, so that when the battery inquiry, the authentication device can provide an effective reply message.在一些情况下，将未加密证书数据写入电池认证设备，可以允许认证设备提供包括有效证书的回复消息。 In some cases, the certificate data is written unencrypted battery authentication device, the authentication device may allow to provide the reply message includes a valid certificate.作为另一示例，将未加密密钥数据写入电池认证设备，可以允许认证设备针对从询问器接收的质询值产生有效响应值。 As another example, the unencrypted data is written to key the battery authentication device, the authentication device may be allowed to generate a valid challenge response value for the value received from the interrogator.在一些实施方式中，可以以迭代方式执行操作504、506和508,其中每个迭代读取、解密并写入认证数据的不同块或部分。 In some embodiments, the operations 504, 506 and 508 may be performed in an iterative manner, wherein each iteration is read, decrypted and written to different blocks or portions of the authentication data.

[0082] 未加密认证数据可以包括：当移动设备询问与认证设备相关联的电池时，该认正设备用于产生有效响应的信息资源的至少部分。 [0082] The unencrypted authentication data may include: the battery when the mobile device query associated with the authentication device, the n recognition apparatus for generating at least partially in response to a valid information resource.例如，当电池与移动设备耦合时，移动设备可以询问该电池。 For example, when the battery is coupled with a mobile device, the mobile device may query the battery.如果电池认证设备向询问提供有效响应，则移动设备可以认可电池的使用。 If the battery authentication apparatus to provide a valid response to the inquiry, the mobile device may recognize the battery.如果电池认证设备未提供有效响应，则移动设备可以拒绝该电池。 If the battery does not provide a valid response to the authentication device, the mobile device may reject the battery.例如，移动设备可以向电池拒绝电池使用的所有目的，移动设备可以向电池拒绝除了有限范围的移动设备功能(例如，紧急呼叫等)之外的所有目的，或移动设备可以采取另一动作。 All purposes, or mobile device such as mobile device may reject all purposes, the mobile device may be denied to the battery cell in addition to a limited range of functions of a mobile device (e.g., an emergency call, etc.) to the outside of the battery may take another action.在一些实例中，移动设备可以向信任源报告拒绝或未认证的电池。 In some examples, the mobile device may reject the authentication or cell reports to the trusted source.

[0083] 本说明书中所描述的操作可以实现为:数据处理装置对一个或更多个计算机可读存储设备上存储的或从其他源接收的数据所执行的操作。 [0083] The operations described in this specification can be implemented as: data processing means to one or more computer-readable storage operations on the storage device or received from other sources performed.术语"数据处理装置"涵盖用于处理数据的所有类型的装置、设备和机器(包括，例如，可编程处理器、计算机、片上系统或上述多个或组合）。 The term "data processing apparatus" encompasses all kinds of apparatus, devices, and machines for processing data (including, e.g., a programmable processor, a computer, or a system on a chip or a plurality of combinations of the above).装置可以包括专用逻辑电路(例如，FPGA(现场可编程门阵列)或ASIC(专用集成电路））。 Means may include special purpose logic circuitry (e.g., FPGA (field programmable gate array) or an ASIC (application specific integrated circuit)).除了硬件之外，该装置还可以包括为所考察的计算机程序创建执行环境的代码(例如，构成处理器固件、协议栈、数据库管理系统、操作系统、跨平台运行环境、虚拟机或其中一个或更多个的组合的代码）。 In addition to the hardware, the apparatus may further comprise code that creates an execution environment for the computer program are examined (e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, a cross-platform runtime environment, a virtual machine, or or wherein more combinations of code).装置和执行环境可以实现各种不同的计算模型设施(例如，web服务、分布式计算和网格计算设施）。 The apparatus and execution environment can realize various different computing model facilities (for example, web services, distributed computing and grid computing facilities).

[0084] 该计算机程序(也被称为是程序、软件、软件应用、脚本或代码)可以以任意形式的编程语言（包括编译性或解释性语言、说明性语言或过程性语言）书写，并且该计算机程序可以以任意形式(包括，作为独立程序或作为模块、组件、子程序、对象或适合在计算环境中使用的其他单元)进行部署。 [0084] The computer program (also known as programs, software, software application, script, or code) may be in any form of programming language (including compiled or interpreted languages, declarative or procedural languages ​​Language) writing, and the computer program may be in any form (including, as a standalone program or as a module, component, subroutine, object, or other unit suitable for use in a computing environment) is deployed.计算机程序可以(但不需要)与文件系统中的文件相对应。 The computer program may (but need not) and the file corresponding to the file system.程序可以存储在保存其他程序或数据的文件的一部分(例如，存储在标记语言文档中的一个或更多个脚本）中，可以存储在专用于所考察程序的单个文件中，或可以存储在多个协调的文件(例如，存储一个或更多个模块、子程序或代码部分的文件）中。 Program can be stored in a portion of the file that holds other programs or data file (e.g., a markup language document stored in one or more scripts) may be stored in a single file dedicated to the program in question examined, or may be stored in multiple a coordinated files (e.g., storing one or more modules, sub programs, or portions of code) in the.计算机程序可以部署在一个计算设备或多个计算机上执行，该多个计算机位于一个场所或分布在多个场所中并由通信网络相互连接。 The computer program can be deployed executed on a computing device or a plurality of computers, the plurality of computers at one site or distributed by a communication network connected to one another in a plurality of locations.

[0085] 本说明书中所描述的处理和逻辑流可以由一个或更多个可编程处理器执行，该一个或更多个可编程处理器执行一个或更多个计算机程序，以通过操作输入数据并产生输出来执行动作。 [0085] The processes and logic flows described in this specification may be executed by one or more programmable processors, the one or more programmable processors executing one or more computer programs, to operate the input data and generating output operation is performed.处理和逻辑流还可以由专用集成电路(例如，FPGA(现场可编程门阵列)或ASIC (专用集成电路））执行，并且装置也可以实现为专用集成电路。 The processes and logic flows can also be performed by the application specific integrated circuit (e.g., the FPGA (field programmable gate array) or an ASIC (application specific integrated circuit)), and apparatus can also be implemented as ASIC.

[0086] 适用于执行计算机程序的处理器包括:例如，通用微处理器和专用微处理器，以及任意类型的数字计算设备中的任意一个或更多个处理器。 [0086] Processors suitable for the execution of a computer program include: e.g., general purpose and special purpose microprocessors, and any type of digital computing devices any one or more processors.通常，处理器将从只读存储器或随机存取存储器或两者，接收指令和数据。 Generally, a processor from the read only memory or a random access memory or both, receive instructions and data.计算设备的核心元件是用于根据指令执行动作的处理器和用于存储指令和数据的一个或更多个存储设备。 The core elements of a computing device is a processor for performing actions in accordance with instructions and one or more storage devices for storing instructions and data.通常，计算设备还将包括用于存储数据的一个或更多个存储设备，或者计算设备与用于存储数据的一个或更多个存储设备可操作耦合，以从其接收数据或向其传送数据或两者。 Typically, the computing device will also include one or more storage devices for storing data, or a computing device for storing data or more storage devices operatively coupled to receive data from or transfer data to, or both.然而，计算设备不需要具有这种设备。 However, computing device need not have such devices.此外，计算机可以嵌入另一设备(例如，移动电话、个人数字助理(PDA)、移动音频或视频播放器、游戏控制台、全球定位系统(GPS)接收机或便携式存储设备（例如，通用串行总线(USB)闪存）（仅示出一些示例））中。 In addition, the computer can be embedded in another device (eg, mobile phones, personal digital assistants (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver or a portable storage device (eg, a universal serial bus (USB) flash memory) (shown only some examples)) of.适用于存储计算机程序指令和数据的设备包括:所有形式的非易失性存储器、介质和存储设备(包括，例如，半导体存储设备（例如，EPROM、EEPR0M 和闪存设备）；磁盘(例如，内部硬盘或可移除磁盘）；磁光盘；以及，CD ROM和DVD-ROM盘片）。 Suitable for storing computer program instructions and data include: all forms of non volatile memory, media and memory devices (including, e.g., semiconductor memory devices (e.g., EPROM, EEPR0M and flash memory devices); magnetic disks (e.g., internal hard disks or removable disks); magneto-optical disks; and, CD ROM and DVD-ROM discs).处理器和存储器可以由专用逻辑电路进行补充，或者处理器和存储器可以集成在专用逻辑电路中。 The processor and the memory can be supplemented by a special purpose logic circuitry, or the processor and the memory may be integrated in special purpose logic circuitry.

[0087] 为了提供与用户的交互，本说明书所描述的主题可以在计算机上实现，该计算机具有显示设备（例如，用于向用户显示信息的LCD(液晶显示器)屏幕）以及用户可以向计算机提供输入的键盘和指示设备(例如，触摸屏、触控笔、鼠标等）。 [0087] To provide interaction with a user, the subject matter described in this specification can be implemented on a computer having a display device (e.g., LCD for displaying information (liquid crystal display) screen to the user) and the user may be provided to the computer input keyboard and a pointing device (e.g., a touch screen, stylus, mouse, etc.).其他类型的设备也可以用于提供与用户的交互;例如，提供给用户的反馈可以是任意形式的传感器反馈(例如，视觉反馈、听觉反馈或触觉反馈）；并且可以从用户接收以任意形式(包括，声学、语音或触觉输入)的输入。 Other types of devices can be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and may be received in any form from the user ( including acoustic, speech, or tactile input) input.此外，计算设备可以通过向用户所使用的设备发送文档并且从用户所使用的设备接收文档来与用户进行交互;例如，响应于从web浏览器接收的请求，向用户客户端设备上的web浏览器发送网页。 In addition, the computing device can be and is carried out by sending documents to and used by the user from a device receiving documents used by the user to interact with the user; e.g., in response to a request received from the web browser, browse the web on a user client device sends pages.

[0088] 本说明书所描述的主题中的一些可以在计算系统中实现，该计算系统包括:后端组件(例如，数据服务器），或中问组件（例如，应用服务器），或前端组件（例如，具有图形用户界面的客户端计算设备，或Web浏览器（用户可以通过该Web浏览器与本说明书中所描述的主题的实施方式进行交互）），或一个或更多个这种后端组件、中间组件或前端组件的任意组合。 [0088] The present subject matter described in the specification may be implemented in some of the computing system, the computing system comprising: a back-end component (e.g., a data server), or Q components (e.g., an application server), or a front end component (e.g. , the client computing device with a graphical user interface or a Web browser (through which a user can interact with the Web browser relating to the present embodiment described in the specification of the embodiment)), or one or more such back-end component any combination of an intermediate or front-end components.该系统的组件可以通过任意形式的数字数据通信的介质（例如，数据网络)相互连接。 Components of the system can be interconnected by any form of media (e.g., data network) digital data communication.

[0089] 计算系统可以包括客户端和服务器。 [0089] The computing system can include clients and servers.客户端和服务器一般相互远离，并且一般通过数据网络进行交互。 Client and server are generally remote from each other and typically interact through a data network.凭借在各个计算机上运行的并相互具有客户端-服务器关系的计算机程序，建立起客户端和服务器的关系。 And by virtue of having a client running on each computer - a computer program server relationship, establish relationship of client and server.在一些实施方式中，服务器将数据发送到客户端设备。 In some embodiments, the server sends data to the client device.在服务器可以接收到来自客户端设备的在客户端设备产生的数据。 In the server may receive the data generated by the client device from the client device.

[0090] 尽管本说明书包含许多具体实现细节，但这些细节不应被解释为对请求保护的本发明的范围的限制，而应作为对特定实施方式的具体特征的描述。 [0090] While this specification contains many specific implementation details, these should not be construed as limiting the scope of the claimed invention, but rather as descriptions of features specific to particular embodiments.在本说明书中所描述的在分离的实施方式的上下文中的特定特征还可以以组合的方式在单个实施方式中实现。 In the context of a particular feature separate embodiment in the present embodiment described in the specification may also be implemented in combination in a single embodiment.相反，在单个实施方式的上下文中所描述的各种特征还可以以多个实施方式分离地实现，或以任意合适的子组合实现。 Conversely, various features in the context of a single embodiment may also be described as implemented in a plurality of separate embodiments, or in any suitable sub-combination thereof.此外，尽管上文可能将特征描述为以特定组合实现，并且甚至一开始也是如此请求保护，但在一些情况下，可以以组合方式实现所请求保护的组合的一个或更多个特征，并且该所请求保护的组合可以涉及子组合或子组合的变体。 Moreover, although features may be described above as implemented in a particular combination, and even initially claimed is true, but in some cases, may be combined in a way to achieve the claimed combination of one or more features, and the the claimed combination may be directed to a subcombination or variation of a subcombination.

[0091] 类似地，尽管在附图中以特定顺序描述操作，这不应当被理解为需要以所示特定顺序或以连续的顺序执行这种操作，或执行所有所述操作，以实现期望的结果。 [0091] Similarly, while operations described in the drawings in a particular order, this should not be understood as requiring that perform particular order shown or in sequential order such an operation, or perform all of the operations, in order to achieve the desired result.在特定情况下，多任务和并行处理可以是有益的。 Under certain circumstances, multitasking and parallel processing may be advantageous.此外，上述实施方式中各种系统组件的分离不应被理解为在所有实施方式中都需要这种分离，并且其应当被理解为所描述的程序组件和系统一般可以集成到单个软件产品中或包装到多个软件产品中。 Further, the above embodiment described the separation of various system components should not be understood as requiring such separation in all embodiments, and it should be understood to the described program components and systems can generally be integrated into a single software product or packaged into multiple software products.

[0092]在本公开的一般方面中，对已加密认证数据进行解密并存储到认证设备中。 [0092] In a general aspect of the present disclosure, the encrypted authentication data is decrypted and stored in the authentication device.在一些情况下，从认证设备访问已加密认证数据，并将其替换为未加密认证数据，例如，以实现认证设备的操作方面。 In some cases, the authentication device from accessing the encrypted authentication data, and replace it with unencrypted authentication data, e.g., to implement aspects of the operation of the authentication device.

[0093] 在一些方面中，将已加密认证数据存储到认证设备中。 [0093] In some aspects, the encrypted stored authentication data to the authentication device.通过对已加密认证数据进行解密来产生未加密认证数据。 To produce an unencrypted authentication data by decrypting encrypted authentication data.将未加密认证数据存储到认证设备上，以使认证设备能够提供有效回复消息。 The unencrypted authentication data stored on the authentication device to enable the device to provide effective authentication reply message.该认证设备被配置为:响应于从询问设备接收到询问消息，产生有效回复消息。 The authentication device is configured to: in response to receiving a query message from the interrogation device to generate a valid reply message.

[0094]这些和其他方面的实施方式可以包括以下特征中的一个或更多个。 [0094] These and other aspects of the embodiments may include one or more of the following features.认证数据包括证书数据。 Authentication data includes the certificate data.在制造过程期间使能该认证设备。 During the manufacturing process to enable the authentication device.制造过程包括:接收具有存储在其上的已加密证书数据的认证设备。 The manufacturing process includes: receiving the authentication device having stored thereon the encrypted certificate data.制造过程包括:在产生未加密证书数据之前，将该认证设备与特定制造物品相关联。 Manufacturing process comprising: prior to generating the unencrypted data certificate, the authentication device associated with a particular article of manufacture.制造物品包括移动设备组件，该移动设备组件被配置为与移动设备进行接口。 An article of manufacture comprising a mobile device component, the mobile component is configured to interface with the mobile device.移动设备包括询问设备。 Mobile devices including the interrogation device.移动设备组件包括移动设备电池。 The mobile device comprises a mobile device battery assembly.有效回复消息包括未加密证书数据和所提供响应值。 Valid reply message including unencrypted data and the response value of the certificate provided.认证设备被配置为:基于使用存储在认证设备上的秘密值来评估密码函数，产生所提供响应值。 The authentication device is configured to: based on a secret value stored in the authentication device to evaluate cryptographic function, generates the response value provided.有效回复消息还包括存储在认证设备上的并且不包括在未加密证书数据中的附加证书数据。 Further comprising a valid reply message is stored on the authentication device certificate data and the additional data is not encrypted certificate is not included.与访问已加密证书数据相独立地接收解密密钥。 Accessing the encrypted certificate received data independently of the decryption key.使用该解密密钥对已加密认证数据进行解密。 Using the decryption key to decrypt the encrypted authentication data.未加密认证数据包括隐式证书数据。 No authentication data comprising encrypted data implicit certificate.

[0095]在一些方面中，访问在与移动设备电池相关联的认证设备上存储的已加密认证数据。 [0095] In some aspects, the access in the authentication device associated with the mobile device battery stored encrypted authentication data.该移动设备电池被配置为：向移动设备供电，并从该移动设备接收询问消息。 The mobile device battery is configured to: power the mobile device, and receiving a query message from the mobile device.通过对已加密认证数据进行解密来产生针对该认证设备的未加密认证数据。 To produce an unencrypted data for authentication by the authentication apparatus decrypts the encrypted authentication data.将未加密认证数据存储到与移动设备电池相关联的认证设备上。 The unencrypted authentication data stored on the mobile device with the authentication device associated with the battery.将未加密认证数据存储到认证设备上使认证设备能够响应于从移动设备接收到询问消息，提供有效回复消息。 The unencrypted data is stored to enable authentication the authentication apparatus in response to receiving a query message from the mobile device to the authentication apparatus, provide an effective reply message.

[0096]这些和其他方面的实施方式可以包括以下特征中的一个或更多个。 [0096] These and other aspects of the embodiments may include one or more of the following features.认证设备被配置为:基于与公共密钥值相关联的私有密钥值，产生所提供响应值。 The authentication device is configured to: based on the value associated with the private key associated with a public key value generated in response to the supplied value.认证设备被配置为:将该所提供响应值包括在有效回复消息中。 The authentication device is configured to: provide the response value included in the valid reply message.未加密认证数据包括私有密钥数据和/或公共密钥数据中的全部或部分。 Unencrypted authentication data comprises all or part of key data private and / or public key data.认证设备被配置为:将证书数据包括在有效回复消息中。 The authentication device is configured to: certificate data included in the valid reply message.该证书数据验证与用于产生所提供响应值的私有密钥相对应的公共密钥值。 The verification public key certificate data values ​​used to generate the response value provided by the corresponding private key.未加密认证数据包括证书数据中的全部或部分。 Authentication data include all or part of the certificate data is not encrypted.未加密证书数据包括隐式证实或显式证书中的全部或部分。 Certificate data include all or part of an explicit or implicit confirmation certificate is not encrypted.隐式证书是ECQV隐式证书。 Implicit certificate is ECQV implicit certificate.未加密证书数据包括隐式证书的公共密钥重构值。 Reconstruction public key certificate data values ​​implicit certificate is not encrypted.

[0097] 附加地或备选地，这些或其他方面的实施方式可以包括以下特征中的一个或更多个。 [0097] Additionally or alternatively, these or other embodiments may include the following features one or more.与访问已加密认证数据独立地接收解密密钥，并且使用该解密密钥对已加密认证数据进行解密。 Accessing the encrypted authentication data independently receive the decryption key, and uses the decryption key to decrypt the encrypted authentication data.该解密密钥用于:根据对称加密方案、非对称加密方案或其组合，对已加密认证数据进行解密。 The decryption key is used: The symmetric encryption scheme, or a combination of asymmetric encryption scheme, the encrypted authentication data is decrypted.在移动设备电池耦合到移动设备之前，将未加密认证数据存储到移动设备电池上。 Before the mobile device coupled to the mobile device battery, the unencrypted authentication data stored on the mobile device battery.在电池制造过程期间，将未加密认证数据存储到认证设备上。 During the cell manufacturing process, the unencrypted authentication data stored on the authentication device.电池制造过程包括： 在第一制造实体，接收先前由第二制造实体所制造的认证设备。 Battery production process comprising: producing a first entity, the authentication apparatus receives a previously manufactured by a second entity produced.从第二制造实体接收的认证设备具有存储在其上的加密证书数据。 Received from the second authentication apparatus having a manufacturing entity certificate encrypted data stored thereon.电池制造过程包括:在第一制造实体，将认证设备与移动设备电池相关联。 Battery production process comprising: producing a first entity, the authentication device associated with the mobile device battery.

[0098] 因此，已经描述了主题的特定实施方式。 [0098] Having thus described particular embodiments of the subject matter.其他实施方式都在以下权利要求的范围中。 Other embodiments are within the scope of the following claims.在一些情况下，可以以不同顺序执行权利要求所述的动作，并仍实现期望的结果。 In some cases, the operation may be performed in a different order claim, and still achieve desirable results.此外， 在附图中所描述的过程不一定需要所示特定顺序或连续顺序，以实现期望的结果。 Further, in the process depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results.在特定实施方式中，多任务和并行处理可以是有益的。 In a particular embodiment, multitasking and parallel processing may be advantageous.

Claims (22)

Translated from Chinese

1. 一种在移动设备电池的制造过程中管理针对与移动设备电池相关联的认证设备的认证数据的方法，所述方法包括： 访问在与移动设备电池相关联的认证设备上存储的已加密认证数据，其中，所述移动设备电池被配置为：向移动设备供电，并从所述移动设备接收询问消息； 通过对已加密认证数据进行解密来产生针对所述认证设备的未加密认证数据；以及将所述未加密认证数据存储在与所述移动设备电池相关联的认证设备上，其中，将所述未加密认证数据存储在所述认证设备上使所述认证设备能够响应于从所述移动设备接收到所述询问消息来提供有效回复消息。 1. A method of managing authentication data with the authentication device for the mobile device associated with the battery during the manufacture of the mobile device battery, the method comprising: accessing the authentication device on the mobile device associated with the battery stored in encrypted authentication data, wherein the battery is configured to the mobile device: the power supply to the mobile device, and receiving a query message from the mobile device; to produce an unencrypted data for the authentication by the authentication apparatus decrypts the encrypted authentication data; and the unencrypted authentication data stored on the authentication device and the mobile device associated with the battery, wherein the non-encrypted authentication data stored in the authentication apparatus in response to the authentication from the device the mobile device receiving the query message to provide an effective reply message.

3. 根据权利要求2所述的方法，其中，所述回复消息中包括的所述未加密认证数据验证公共密钥值，并且所述认证设备提供的有效回复消息还包括:所述认证设备使用与所述公共密钥值相关联的私有密钥值产生的所提供响应值。 3. The method according to claim 2, wherein the reply message to the unencrypted authentication data included in the public key authentication value and the authentication apparatus to provide effective reply message further includes: the authentication device uses the generated private key value and the public key value associated with the response value provided.

5. 根据权利要求1所述的方法，还包括:与访问所述已加密认证数据相独立地接收解密密钥，其中，使用所述解密密钥对所述已加密认证数据进行解密。 5. The method according to claim 1, further comprising: an encryption authentication data independently of said received decryption key has been accessed, wherein the decryption key using the encrypted authentication data is decrypted.

6. 根据权利要求5所述的方法，其中，所述解密密钥用于:根据对称加密方案，对所述已加密认证数据进行解密。 6. The method as claimed in claim 5, wherein the decryption key configured to: according to a symmetric encryption scheme, the encrypted authentication data is decrypted.

7. 根据权利要求5所述的方法，其中，所述解密密钥用于:根据非对称加密方案，对所述已加密认证数据进行解密。 7. The method as claimed in claim 5, wherein the decryption key is used: The asymmetric encryption scheme, the encrypted authentication data is decrypted.

8. 根据权利要求1所述的方法，其中，在所述移动设备电池耦合到所述移动设备之前， 将所述未加密认证数据存储在所述移动设备电池上。 Before The method according to claim 1, wherein the mobile device is coupled to the mobile device battery, the unencrypted authentication data stored on the mobile device battery.

9. 根据权利要求1所述的方法，其中，使所述认证设备能够提供有效回复消息包括:在电池制造过程期间使能所述认证设备。 9. The method according to claim 1, wherein the apparatus provides a valid authentication reply message comprises: enabling the authentication device during the battery production process.

10. 根据权利要求9所述的方法，其中，所述电池制造过程包括： 在第一制造实体处，接收先前由第二制造实体制造的所述认证设备，其中，从所述第二制造实体接收的所述认证设备上存储有所述已加密认证数据；以及在所述第一制造实体处，将所述认证设备与所述移动设备电池相关联。 10. The method of claim 9, wherein the battery manufacturing process comprising: producing a first entity, the authentication device receiving the previously manufactured by a second manufacturing entity, wherein, for producing from said second entity the received authentication apparatus stores the encrypted authentication data; and the first manufacturing entity, the authentication device and the mobile device associated with the battery.

11. 一种在移动设备电池的制造过程中管理针对移动设备电池的认证数据的系统，所述系统包括： 包括认证设备的移动设备电池，所述移动设备电池包括移动设备接口，所述移动设备接口被配置为：向移动设备供电，并从所述移动设备接收询问消息； 信息管理设备，被配置为执行以下操作： 访问在所述认证设备上存储的已加密认证数据； 通过对所述已加密认证数据进行解密来产生未加密认证数据；以及通过将所述未加密认证数据存储在所述认证设备上，使所述认证设备能够提供有效回复消息，其中，所述认证设备被配置为:响应于接收到所述询问消息来提供有效回复消息。 11. A method of managing a mobile device in a manufacturing process of a battery system for a battery authentication data of the mobile device, the system comprising: a mobile device including a battery authentication device, the mobile device comprises a battery interface to a mobile device, the mobile device interface is configured to: power the mobile device, and receiving a query message from the mobile device; information management device, configured to perform the following operations: access the encrypted authentication data stored on the authentication device; already through the decrypting the encrypted authentication data to produce an unencrypted authentication data; and by the unencrypted authentication data stored on the authentication device, the authentication apparatus capable of providing an effective reply message, wherein the authentication device is configured to: in response to receiving the interrogation message provides valid reply message.

13. 根据权利要求12所述的系统，其中，所述回复消息中包括的所述未加密认证数据验证公共密钥值，并且所述认证设备提供的有效回复消息还包括:所述认证设备使用与所述公共密钥值相关联的私有密钥值产生的所提供响应值。 13. The system according to claim 12, wherein the reply message to the unencrypted authentication data included in the public key authentication value and the authentication apparatus to provide effective reply message further includes: the authentication device uses the generated private key value and the public key value associated with the response value provided.

14. 根据权利要求11所述的系统，其中，所述信息管理设备存储解密密钥，所述解密密钥用于对所述已加密认证数据进行解密。 14. The system according to claim 11, wherein the information management device stores a decryption key, the decryption key for the encrypted data is decrypted authentication.

15. 根据权利要求11所述的系统，还包括所述移动设备。 15. The system of claim 11, further comprising the mobile device.

16. -种用于管理针对认证设备的认证数据的方法，所述方法包括： 访问在认证设备上存储的已加密证书数据； 通过对所述已加密证书数据进行解密来产生未加密证书数据；以及通过将所述未加密证书数据存储在所述认证设备上，使所述认证设备能够提供有效回复消息，其中，所述认证设备被配置为:响应于接收到询问消息，提供有效回复消息， 其中，使所述认证设备能够提供有效回复消息包括:在制造物品的制造过程期间使能所述认证设备，其中所述制造过程包括： 接收认证设备，所述认证设备上存储有已加密证书数据；以及在产生所述未加密证书数据之前，将所述认证设备与特定制造物品相关联。 16. - A method for managing the authentication data for the kind of the authentication device, the method comprising: accessing stored on the authentication device certificate encrypted data; generated by the encrypted data is decrypted certificate is not encrypted certificate data; and by the certificate data stored unencrypted on the authentication apparatus, the authentication apparatus capable of providing an effective reply message, wherein the authentication device is configured to: in response to receiving the interrogation message, to provide an effective reply message, wherein the apparatus provides a valid authentication reply message comprises: enabling the authentication device during the manufacturing process of the article of manufacture, wherein the manufacturing process includes: receiving the authentication device, the device stores the encrypted authentication credentials data ; and prior to generating the unencrypted data certificate, the authentication device associated with a particular article of manufacture.

17. 根据权利要求16所述的方法，其中，所述制造物品包括被配置为与移动设备进行接口的移动设备组件。 17. The method according to claim 16, wherein said article of manufacture comprising a device configured to move the component interface with the mobile device.

19. 根据权利要求16所述的方法，其中，所述有效回复消息包括所述未加密证书数据和所提供响应值，并且所述认证设备被配置为:基于使用存储在所述认证设备上的秘密值来评估密码函数，产生所述所提供响应值。 19. The method according to claim 16, wherein the reply message comprises the non-valid certificate data and the encrypted response to the supplied value, and the authentication device is configured to: based on the stored authentication device secret cryptographic function evaluation value, generating a response value provided.

20. 根据权利要求19所述的方法，其中，所述有效回复消息还包括存储在所述认证设备上的并且未包括在所述未加密证书数据中的附加证书数据。 20. The method according to claim 19, wherein the reply message further includes the effective stored on the authentication device certificate and additional data not included in the certificate is not encrypted data.

21. 根据权利要求16所述的方法，还包括:与访问所述已加密认证数据相独立地接收解密密钥，其中，使用所述解密密钥对所述已加密认证数据进行解密。 21. The method of claim 16, further comprising: an encryption authentication data independently of said received decryption key has been accessed, wherein the decryption key using the encrypted authentication data is decrypted.